On Tue, May 13, 2025 at 02:24:38PM +0200, Guillem Jover wrote: > We have had reproducible source packages (barring OpenPGP signatures in > the .dsc files) since pretty much the same time dpkg-deb gained support
have you actually tried that?
> > why do you think they are important?
> For QA alone this seems important (test suites for example), but in a
> security context, to me this seems like a rather important part TBH,
> the foundation on which binary package reproducibility is sitting. More
> so in scenarios such as the xz attack for example. Reviewing diffoscope
> differences is very helpful, but in the end we need to review and modify
> the sources, from which the binaries get derived. :)
obviously I agree that being able to reproduce the content would be nice,
however in our tests years ago, not even that was possible, yet alone
bit by bit (thus including timestamps).
I guess someone would need to actually investigate some hundred packages
today, to see how things are really today.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
Life may not be the party we hoped for, but while we're here we might as well
dance!
signature.asc
Description: PGP signature
