REPRODUCIBLE-BUILDS-DEBREP
Reproducible Builds Debian 95% packages 2024.
Définition
Reproducible Builds techniques: (1) Source normalization : SOURCE_DATE_EPOCH environment variable (set to commit timestamp Git, file mtime tar etc.) replaces real-time clock pendant build, freezing all timestamps. (2) Build environment normalization : controlled build dependencies versions pin, hermetic build (no network), normalized HOME, USER, build directories. (3) Output normalization : strip non-determinism (random IDs, build paths embedded, locale-dependent sort orders), sort archive entries (tar, zip), normalize timestamps in archives. Tools : diffoscope (compare two builds output to identify non-determinism source), strip-nondeterminism (post-process binaries strip variabilities), reprotest (run two builds + compare), Debian rebuilderd (continuously rebuild Debian archive for verification). Status Debian 2024 : ~95% packages reproducible (debian-bullseye ~94%, debian-bookworm ~95.5%). NixOS 2024 ~96%, Arch Linux ~85%, Tor Browser 100%, Tails 100%. EU Cyber Resilience Act CRA 2024+ encourages reproducible builds.
Origine
Reproducible Builds initiated 2013-2014 par Debian developers (Lunar, Jeremie Bobbio, etc.) ; umbrella project Reproducible Builds .org 2015 expansion ; Debian effort ~95% 2024 ; Tor Browser pionnier 2013 ; NixOS ~96% 2024.
Exemple en contexte
Debian package 'apache2' (web server) built twice on different build hosts produces bit-identical .deb binary archives (sha256 match), verified by Debian rebuilderd continuous rebuilds 100% of Debian archive cross-checks ; independent verifiers can recompile from source + Debian Source Package and compare.
Termes liés
- SLSA L4 — L4 requires reproducible.