App installer design: only source packages or reproducible builds

Jos van den Oever jos at
Wed May 15 20:41:07 UTC 2013

Hi all,

An aspect of the package format which has not been brought up yet is the reproducibility of the builds.

The availability of the source of a package implies that a user can create the binaries from the source. However in practice, it is rarely that case that running the build command that makes a binary package from a source package results in a package with the same binary.

This deficiency means that reciever of the software does not have the freedom to study how the program works, because it is very hard or nearly impossible to verify that provided binary was obtained by compiling the provided source code.

There are two solutions to this problem:
 1) only ship source code and let the user compile
 2) make sure that the process to turn the source code into a binary is as predictable as 1 + 1 = 2.

Is it a goal of the app installer and package format to let the recievers of the software enjoy the freedom to study the how the program works?

Best regards,

More information about the ubuntu-devel mailing list