Will Ubuntu use "reproducible builds" as debian is planning to do?

Colin Watson cjwatson at ubuntu.com
Fri Sep 13 13:30:57 UTC 2013


On Wed, Sep 11, 2013 at 12:26:28PM -0400, Braiam Miguel Peguero Novo wrote:
> This is a question that was brought up at AskUbuntu[1], and I think
> this is the authoritative list that can answer it.
> 
> So, what are reproducible builds? I don't have the less idea... The
> Debian wiki [2] is still a work-in-progress as far I can tell, but
> seems like they are trying to "predict" the binaries from the change
> in the sources and verify that the build bots are not compromised. I
> believe this is trying to be a layer of protection against attacks to
> the build bots in the attempt to compromise with foreign code the
> packages.

With very few exceptions, nearly all of Debian's work on this will just
be going into the packages that form part of the package build
toolchain, and as such Ubuntu will inherit it over the natural course of
merging and syncing packages from Debian.  The possible exceptions are
things like the proposed libfaketime etc. preloads that we might insert
into builds; I'd certainly be keen to keep up to date with things Debian
does in this area, not just to protect against intrusion but also
because there are immediate practical benefits to doing so (safer
multiarch handling).

> The question is: will Canonical support this feature in the future? is
> this being discussed? if it is, what is the status?

I'm not aware that it's been specifically discussed, mostly because most
of the relevant people are pretty heads-down working on the Ubuntu Touch
product at the moment; but I also think there's work to be done in
Debian first before we pick anything up.

Cheers,

-- 
Colin Watson                                       [cjwatson at ubuntu.com]



More information about the ubuntu-devel mailing list