Question

18

Are apt packages in main and universe ALWAYS guaranteed to be built from source by Ubuntu or Debian mantainers?

rated 0 times [ 18] [ 0] / answers: 1 / hits: 1744 / 2 Years ago, fri, september 23, 2022, 8:48:12

I wonder if Canonical (and/or Debian) provide any sort of guarantee that all packages in main and universe repos are always either built from source by themselves, or verified by them (in case of deterministic or signed reproducible builds) as opposed to just including binaries compiled by others (which implies that you have to trust them, as well, to not be doing something shady or unclear on their compilation process, or using anything outside the public source repo other than private keys for signing, where applicable).

What are Debian and Ubuntu's policies on this? Do they have any official pages or statements on this matter? I'd expect them to do it at least for main, but what about universe? Who am I "trusting" (to provide what they claim to have compiled) when I install something from universe? Just Canonical/Debian or also the authors themselves?

Related: (some info I found on reproducible builds, mostly old)

Will Ubuntu work with reproducible builds?

Are Ubuntu builds deterministic? Why not?

https://wiki.debian.org/ReproducibleBuilds/History#A2016_and_2017

https://isdebianreproducibleyet.com/

https://reproducible-builds.org/projects/#affiliated-projects

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

utonmbo

Add To Favorites

Follow

Total Points: 134

Total Questions: 104

Total Answers: 118

Location: Argentina

Member since Mon, Jan 3, 2022

2 Years ago

utonmbo questions

1 Ubuntu can't find Wifi Driver on Maestro Laptop

Fri, Jun 4, 21, 05:40, 3 Years ago

1 How to create a tar file to a specific folder from a different folder

Thu, Apr 7, 22, 05:22, 2 Years ago

1 Where can I see how a program was installed?

Wed, Apr 5, 23, 06:20, 1 Year ago

1 Kernel Modules Created by DKMS Show "Exec format error" (after update to Ubuntu 21.04)

Sat, May 1, 21, 23:00, 3 Years ago

1 flash drive is not visible for mount and fdisk

Mon, Jun 27, 22, 03:09, 2 Years ago

View All

answered 2 Years ago vigorousom · Accepted Answer

Packages in main and universe are built in the launchpad build farm, from source. You don't need to ask for verification of this as you can find it yourself.

For example, at the time of writing the most recent build of bind uploaded to Ubuntu 20.04 LTS (Focal) is 1:9.16.1-0ubuntu2.5. You can see this via the focal-changes public mailing list. Specifically this post which links to launchpad where you can see the source files and builds, and build logs for every supported architecture. For example the amd64 build for that version of that package is found here with the build log here.

You can repeat this process for every package in every release of Ubuntu.

While I mentioned main and universe, the same is true of restricted and multiverse packages, which are also built on launchpad. However they may contain non-free components, so aren't guaranteed to be built "from source", but there is a source package for each, even if it contains some binary components.