Reproducing bullseye in practice!



Holger Levsen

to share and widen the understanding of the status of reproducible bullseye!

Who am I

  1. Holger Levsen / holger@debian.org
  2. Debian user since 1995
  3. Debian member since 2007
  4. Working on Reproducible Builds since 2014
  5. Located in Hamburg, Germany

I miss you, lovely Debian people!

...and I miss DebConf!

...and this is all wrong.

However, it is what is... sigh.

Also, please remember: the worldwide pandemic is a small crisis, compared to the climate apocalypsis we are heading into.

Anyway.

Introduction

The problem

  • Source code of free software available
  • …most people install pre-compiled binaries
  • We have no idea whether they correspond.

I'll mostly ignore why and how to do such builds now.

Instead I will focus on how to distribute and verify.

(Sadly this talk is not team prepared and thus misses the updates since last DebConf section and more.)

https://reproducible-builds.org

My goals / wishes for today

To share and widen the understanding of the status of reproducible bullseye:
  • CI versus rebuilds
  • issues with buildinfos.debian.net/org
  • thousands of packages without .buildinfo files in bullseye
  • fix and improve debrebuild (from src:devscripts)
  • other issues
  • using reproducible builds and user interfaces are not even on my radar (anymore), but we will need those too.

Though first, my frustration

I feel I have given warnings that the next Debian release will not be reproducible for years.

And here we go again: bullseye will not be reproducible in practice.

Unless we/you act up now.

Debian stretch

The "reproducible in theory but not in practice" release

Debian buster

The "we could be reproducible but we are not" release

Debian bullseye

The "we are almost there but still haven't sorted out..." release?

Debian bullseye

The release is still far away and we haven't frozen yet!

Ride like the wind, bullseye

Bugs bugs bugs

With the upcoming list of bugs I don't want to fingerpoint at individual teams (or people), instead I think we can only solve this if we as Debian decide we want to solve it for bullseye.
I think this is not happening because people believe things have been sorted out and we take care of them. But we are not, we can't do this alone.

My goals / wishes for today

To share and widen the understanding of the status of reproducible bullseye:
  • CI versus rebuilds
  • issues with buildinfos.debian.net/org
  • thousands of packages without .buildinfo files in bullseye
  • fix and improve debrebuild (from src:devscripts)
  • other issues

share and widen understanding of the status of reproducible bullseye

CI versus rebuilds

Debian is wrong

93% reproducibility is a lie.

or rather: 93% are CI results.

CI versus rebuilds:

  • We have no Debian infrastructure rebuilding Debian packages.
  • The reproducible-builds.org rebuilders are builders, not rebuilders.
  • There's a NYU driven a proof of concept.
  • There's a prototype on jenkins.d.n using debrebuild...
  • Archlinux has rebuilderd, written in rust.. (and see issue #4)
  • Integration with Debian's official buildd network?!?

share and widen understanding of the status of reproducible bullseye

issues with buildinfos.debian.net/org

.buildinfo files

buildinfo.debian.net

buildinfos.debian.net

.buildinfo files

buildinfo.debian.net: Allows submissions from everyone (PostgreSQL)

buildinfos.debian.net: ftp-master.d.o based views based on build date and traditional pool structure

.buildinfo files from an unofficial service?

  • There should be a debian.org machine serving .buildinfo files to the public.
  • Since December 2016: 965,333 files in total, eg 118,195 amd64 related.
  • 12 GB files, 4 GB links.

.buildinfo files

  • #862073 ftp.debian.org: Please POST .buildinfo files to buildinfo.debian.net
  • #763822 ftp.debian.org: please include .buildinfo file in the archive
  • #862538 security.debian.org: Please POST .buildinfo files to buildinfo.debian.net
  • #929397 ftp.d.o: please upload LTS .buildinfo files to ftp-master

.buildinfo database

builtin-pho: a database for .buildinfo data (PostgreSQL)

Thanks to David Bremner

buildinfos.debian.net: ftp-master.d.o based views based on build date and traditional pool structure

.buildinfo files as part of the binary packages???

  • Archlinux is using this implementation.
  • Solves those 4 bugs above (and some others).
  • Virtually no impact on the mirrors and easy solution for mirroring!
  • Difficult with current dpkg design.

share and widen understanding of the status of reproducible bullseye

thousands of packages without .buildinfo files in bullseye

  • mostly arch:all packages (but not only)
  • binNMUs for arch:all not possible
  • Shall we do mass NMUs, eg scripted with dgit?
  • #900837 release.debian.org: Mass-rebuild of packages for reproducible builds"

share and widen understanding of the status of reproducible bullseye

fix and improve debrebuild(from src:devscripts)

fix and improve debrebuild
(from src:devscripts)

normal bugs, part 1
  • #955049 debrebuild: no manpage and no --help option
  • #955050 debrebuild: please accepted signed .buildinfo files
  • #955307 debrebuild: should avoid downgrades

fix and improve debrebuild
(from src:devscripts)

normal bugs, part 2
  • #961862 debrebuild: should assemble the source for binNMUs
  • #961864 debrebuild: creates wrong commandline for binNMUs
  • #969098 debrebuild: fails to download some packages from snapshot.d.o

fix and improve debrebuild
(from src:devscripts)

wishlist bugs, part 1
  • #955123 debrebuild: please provide --sbuild-output-only option
  • #955304 debrebuild: suggested sbuild command should use --no-run-lintian
  • #955308 debrebuild: also explain *how* to use snapshot.d.o

fix and improve debrebuild
(from src:devscripts)

wishlist bugs, part 2
  • #958750 debrebuild: please add --standalone mode or --one-shot-mode
  • #961861 debrebuild: should (optionally) download the source too
  • #964722 debrebuild: please add option for rebuilding in the same path

share and widen understanding of the status of reproducible bullseye

other issues

Misc other issues

  • #869184 sbuild, dput, dpkg: source uploads including _amd64.buildinfo causes problems
  • #969084: buildd.d.o: please don't use a tainted buildenv
  • #894441 binNMUs, mtimes and rsync(1) causes problems and binNMUs should be replaced by easy "no-change-except-debian/changelog-uploads"
  • #863622: apt: warn when installing packages that are not reproducible

other issues, release team related

  • We are very happy that testing migration is blocked for binary uploads
  • We very much like the idea of accellerating migration for reproducibility.
  • Debian policy: probably too early for "must", but maybe time for "must not regress"? (This needs rebuilders first.)

    • Summary

    • fixing debrebuild should be rather straightforward
    • distributing .buildinfo files is hard OTOH
    • distributing .buildinfo files is crucial also.
    • ...and then rebuilders...


    Thank you
    … and all the contributors out there!

    Do you think reproducible builds should happen?

    If so, please pick one of these bugs and help fixing it.
    We need your help.

    https://wiki.debian.org/ReproducibleBuilds


    Holger Levsen <holger@debian.org>
    B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C