47
Debian 14 will have mandated reproducible packages
(www.phoronix.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 12 May 2026
47 points (100.0% liked)
technology
24369 readers
272 users here now
On the road to fully automated luxury gay space communism.
Spreading Linux propaganda since 2020
- Ways to run Microsoft/Adobe and more on Linux
- The Ultimate FOSS Guide For Android
- Great libre software on Windows
- Hey you, the lib still using Chrome. Read this post!
Rules:
- 1. Obviously abide by the sitewide code of conduct. Bigotry will be met with an immediate ban
- 2. This community is about technology. Offtopic is permitted as long as it is kept in the comment sections
- 3. Although this is not /c/libre, FOSS related posting is tolerated, and even welcome in the case of effort posts
- 4. We believe technology should be liberating. As such, avoid promoting proprietary and/or bourgeois technology
- 5. Explanatory posts to correct the potential mistakes a comrade made in a post of their own are allowed, as long as they remain respectful
- 6. No crypto (Bitcoin, NFT, etc.) speculation, unless it is purely informative and not too cringe
- 7. Absolutely no tech bro shit. If you have a good opinion of Silicon Valley billionaires please manifest yourself so we can ban you.
founded 5 years ago
MODERATORS
No. The repository has GPG signatures for each package. The signature is a hash which is generated using the private developer key. This verifies that the package was compiled by the Debian team. Most other distros also have package signatures, I think.
Reproducible builds means that if you compile the package on your computer from the source code provided by Debian repository, the binary package that you compile will be 100% identical to the binary package in the repository.
Currently, 97.3% of packages in the Debian repository are reproducible. The developers are promising to correct the last ~3% before the next Debian version is released, probably by the end of 2027.
There's a ton of different reasons why compiling a binary on your computer might result in a different file than the binary in the repository. You may have compiled with different libraries. The binary may include timestamps from the compile time. Files inside of a tar may be sorted in a different order.
The purpose of reproducible builds is that you can read the source code, compile the source code, and it will 100% match the binaries in the repository.
Imagine a scenario without reproducible builds. You download a binary from the developers, you download source code from the developers, you compile the code and your binary file is different. How would you know that something nasty isn't hidden inside of the binary from the developer? Distros like Gentoo solve the problem by having each user compile every package on their own machine. Debian's solution is making the packages compile exactly the same on every machine (of the same cpu architecture).
I was trying to read the site but it was down, thanks for the summary! How the hell do they get the packages to compile the same though? That seems like a pretty difficult task given artefacts and compiler flags and such. Is it a specific makefile/build that they're using for the reproducibles?
"For each distributed package, rebuilderd calls debrebuild that calls debootsnap, mmdebstrap and finally sbuild to build that package within a user namespace."
https://reproduce.debian.net/
https://wiki.debian.org/ReproducibleBuilds/