←back to thread

Debian bookworm live images now reproducible

(lwn.net)
766 points bertman | 1 comments | 3/26/2025, 5:22:00 PM | HN request time: 0.228s | source
Show context
imcritic ◴[3/26/2025, 5:36:00 PM] No.43484638[source]

I don't get how someone achieves reproducibility of builds: what about files metadata like creation/modification timestamps? Do they forge them? Or are these data treated as not important enough (like it 2 files with different metadata but identical contents should have the same checksum when hashed)?

replies(10): >>43484658 #>>43484661 #>>43484682 #>>43484689 #>>43484705 #>>43484760 #>>43485346 #>>43485379 #>>43486079 #>>43488794 #
jzb ◴[3/26/2025, 6:35:00 PM] No.43485346[source]

Debian uses a tool called `strip-nondeterminism` to help with this in part: https://salsa.debian.org/reproducible-builds/strip-nondeterm...

There's lots of info on the Debian site about their reproducibility efforts, and there's a story from 2024's DebConf that may be of interest: https://lwn.net/Articles/985739/

replies(1): >>43489144 #
frakkingcylons ◴[3/27/2025, 12:32:00 AM] No.43489144[source]

I see this is written in Perl, is that the case with most Debian tooling?

replies(6): >>43489677 #>>43490179 #>>43490769 #>>43490826 #>>43491933 #>>43492219 #
londons_explore ◴[3/27/2025, 6:04:00 AM] No.43490769[source]

Packaging and making build scripts is perhaps one of the most unrewarding tasks out there. As an open source project where most work is done for free, debian can't afford to be prescriptive about what languages are used for this sort of task.

replies(1): >>43492550 #
1. account42 ◴[3/27/2025, 11:39:00 AM] No.43492550[source]

Actually it can and it is. Build system dependencies, especially ones that apply to all packages, are something that concerns the distribution as a whole and not something where each developer can just add their favorite one.