In a comment on the question Does Ubuntu deliberately contaminate its binaries to help NSA?, Jorge Castro notes that debian is thinking about working with reproducible builds. They state
Why do we want reproducible builds?
- Independent verifications that a binary matches what the source intended to produce.
- Help Multi-Arch: same packages co-installation (as they need every matching file to be byte identical).
- Be able to generate debug symbols for packages which do not have a “debug package”.
- Is there any indication that Ubuntu plans on implementing reproducible builds as well?
(This is a copy of my answer on ubuntu-devel.)
With very few exceptions, nearly all of Debian's work on this will just be going into the packages that form part of the package build toolchain, and as such Ubuntu will inherit it over the natural course of merging and syncing packages from Debian. The possible exceptions are things like the proposed libfaketime etc. preloads that we might insert into builds; I'd certainly be keen to keep up to date with things Debian does in this area, not just to protect against intrusion but also because there are immediate practical benefits to doing so (safer multiarch handling).
I'm not aware that this has been specifically discussed within Canonical, mostly because most of the relevant people are pretty heads-down working on the Ubuntu Touch product at the moment; but I also think there's work to be done in Debian first before we pick anything up.
This question is somewhat badly defined. Every distro ever will work with a reproducible build. Any build that includes no information about the environment it was built from is reproducible. It's the external state of the build environment that causes problems.
Want a "reproducible build"?
Want a non-reproducable build?
It's not about will Ubuntu "work with". It has always worked with. It's about what will be done to "ensure that", and "reject violations".
With that said, currently the plan is to address the problems in GCC and the individual packages. I'm not aware of any plans to reject things that are not reproducible. In addition there is a new
.buildinfo
which helps shed light on why things may not be reproducible.See also,