Question

6

Will Ubuntu work with reproducible builds?

rated 0 times [ 6] [ 0] / answers: 1 / hits: 1149 / 2 Years ago, fri, june 24, 2022, 9:51:14

In a comment on the question Does Ubuntu deliberately contaminate its binaries to help NSA?, Jorge Castro notes that debian is thinking about working with reproducible builds. They state

Why do we want reproducible builds?

Independent verifications that a binary matches what the source intended to produce.

Help Multi-Arch: same packages co-installation (as they need every matching file to be byte identical).

Be able to generate debug symbols for packages which do not have a “debug package”.

Is there any indication that Ubuntu plans on implementing reproducible builds as well?

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

itutejagua

Add To Favorites

Follow

Total Points: 89

Total Questions: 124

Total Answers: 113

Location: British Indian Ocean Territory

Member since Sun, Feb 13, 2022

2 Years ago

answered 2 Years ago olfdit · Accepted Answer

(This is a copy of my answer on ubuntu-devel.)

With very few exceptions, nearly all of Debian's work on this will just be going into the packages that form part of the package build toolchain, and as such Ubuntu will inherit it over the natural course of merging and syncing packages from Debian. The possible exceptions are things like the proposed libfaketime etc. preloads that we might insert into builds; I'd certainly be keen to keep up to date with things Debian does in this area, not just to protect against intrusion but also because there are immediate practical benefits to doing so (safer multiarch handling).

I'm not aware that this has been specifically discussed within Canonical, mostly because most of the relevant people are pretty heads-down working on the Ubuntu Touch product at the moment; but I also think there's work to be done in Debian first before we pick anything up.