Documentation index

Volatile inputs can disappear

Inputs from the network—even if it doesn’t seem like it—are volatile. It’s best to make a build system not rely on remote data.

If it must be the case, then:

  1. ensure integrity using cryptographic checksums,
  2. keep backups.

Ideally, a fallback location should be available with the backups.

A good example is how the FreeBSD ports work. Port descriptions contain a list of MASTER_SITES, a list of files to be retrieved in DISTFILES, and a distinfo file with cryptographic checksums for each of these files. The FreeBSD infrastructure ensures that a copy of all distfiles are kept available on a mirror network. When building a port, the files will be downloaded from there if the original master site is unreachable.

Preventing dependency drift

Lockfiles

Some build systems (Go, Cargo, NPM…) allow you to include the exact version of your dependencies. Whenever possible, you should version it or include it in your source tarballs, so that people will be able to use them to recreate a similar environment to you.

Vendored dependencies

Another possibility is to include a copy of your dependencies in your source tree, or to reference it with similar methods, such as git submodules.

Debian Snapshots

Debian packages must be reproducible with the packages that were available in the archive when they were built.

You can use snapshot.debian.org to create a system in that state.

Documentation index

Documentation home

Introduction
Achieve deterministic builds
Managing variance
Define a build environment
Distribute the environment
Verification
Specifications