47
Debian 14 will have mandated reproducible packages (www.phoronix.com)
submitted 2 days ago by dead@hexbear.net to c/technology@hexbear.net
7 comments fedilink hide all child comments

https://lists.debian.org/debian-devel-announce/2026/05/msg00001.html

Aided by the efforts of the Reproducible Builds project [1], we've decided it's
time to say that Debian must ship reproducible packages. Since yesterday, we
have enabled our migration software to block migration of new packages that
can't be reproduced [2] or existing packages (in testing) that regress in
reproducibility.

you are viewing a single comment's thread
view the rest of the comments
[-] dead@hexbear.net 14 points 2 days ago

Which problems do Reproducible Builds Solve?

Whilst anyone may inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled with no method to confirm whether they correspond.

This incentivises attacks on developers who release software, not only via traditional exploitation, but also in the forms of political influence, blackmail or even threats of violence.

This is particularly a concern for developers collaborating on privacy or security software: attacking these typically result in compromising particularly politically-sensitive targets such as dissidents, journalists and whistleblowers, as well as anyone wishing to communicate securely under a repressive regime.

Whilst individual developers are a natural target, it additionally encourages attacks on build infrastructure as a successful attack would provide access to a large number of downstream computer systems. By modifying the generated binaries here instead of modifying the upstream source code, illicit changes are essentially invisible to its original authors and users alike.

The motivation behind the Reproducible Builds project is therefore to allow verification that no vulnerabilities or backdoors have been introduced during this compilation process. By promising identical results are always generated from a given source, this allows multiple third parties to come to a consensus on a “correct” result, highlighting any deviations as suspect and worthy of scrutiny.

This ability to notice if a developer or build system has been compromised then prevents such threats or attacks occurring in the first place, as any compromise can be quickly detected. As a result, front-liners cannot be threatened/coerced into exploiting or exposing their colleagues.

Several free software projects already provide reproducible builds, or will do soon.

https://reproducible-builds.org/docs/which-problems-do-reproducible-builds-solve/

[-] invalidusernamelol@hexbear.net 3 points 1 day ago

Is this basically just checksums built into the package manager?

[-] dead@hexbear.net 7 points 1 day ago

No. The repository has GPG signatures for each package. The signature is a hash which is generated using the private developer key. This verifies that the package was compiled by the Debian team. Most other distros also have package signatures, I think.

Reproducible builds means that if you compile the package on your computer from the source code provided by Debian repository, the binary package that you compile will be 100% identical to the binary package in the repository.

Currently, 97.3% of packages in the Debian repository are reproducible. The developers are promising to correct the last ~3% before the next Debian version is released, probably by the end of 2027.

There's a ton of different reasons why compiling a binary on your computer might result in a different file than the binary in the repository. You may have compiled with different libraries. The binary may include timestamps from the compile time. Files inside of a tar may be sorted in a different order.

The purpose of reproducible builds is that you can read the source code, compile the source code, and it will 100% match the binaries in the repository.

Imagine a scenario without reproducible builds. You download a binary from the developers, you download source code from the developers, you compile the code and your binary file is different. How would you know that something nasty isn't hidden inside of the binary from the developer? Distros like Gentoo solve the problem by having each user compile every package on their own machine. Debian's solution is making the packages compile exactly the same on every machine (of the same cpu architecture).

[-] invalidusernamelol@hexbear.net 3 points 1 day ago

I was trying to read the site but it was down, thanks for the summary! How the hell do they get the packages to compile the same though? That seems like a pretty difficult task given artefacts and compiler flags and such. Is it a specific makefile/build that they're using for the reproducibles?

[-] dead@hexbear.net 3 points 1 day ago

"For each distributed package, rebuilderd calls debrebuild that calls debootsnap, mmdebstrap and finally sbuild to build that package within a user namespace."

https://reproduce.debian.net/

https://wiki.debian.org/ReproducibleBuilds/

this post was submitted on 12 May 2026
47 points (100.0% liked)

technology

24364 readers
457 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

founded 5 years ago
MODERATORS
context@hexbear.net
SexUnderSocialism@hexbear.net
gaycomputeruser@hexbear.net
Wakmrow@hexbear.net
SwitchyandWitchy@hexbear.net
JustSo@hexbear.net