HN
Today

Debian must ship reproducible packages

Debian's release team announced a significant policy change: all packages must now be reproducible, with non-reproducible builds blocked from migrating to testing. This major step aims to bolster software supply chain security and reliability within the distribution. The update also covers new autopkgtest functionality for binary Non-Maintainer Uploads and the recent addition of the loong64 architecture, reflecting Debian's continuous commitment to robust infrastructure, a topic always keenly followed by the HN community.

20
Score
3
Comments
#8
Highest Rank
6h
on Front Page
First Seen
May 10, 6:00 AM
Last Seen
May 10, 11:00 AM
Rank Over Time
1288111111

The Lowdown

The Debian Release Team has provided an update midway through the 'forky' release cycle, detailing several key advancements and policy changes aimed at enhancing the quality and integrity of the Debian distribution.

  • Mandatory Reproducible Packages: Debian has officially declared that all packages must be reproducible. As of the announcement, the migration software will block new packages that fail reproducibility checks, and existing packages in testing that regress in reproducibility. This is a significant commitment, aided by the Reproducible Builds project.
  • binNMU Autopkgtests: New functionality has been integrated into the migration software to run autopkgtests for binary Non-Maintainer Uploads (binNMUs), mirroring the process for source-full uploads. This adds another layer of quality assurance.
  • loong64 Architecture Addition: The loong64 architecture has been added to the archive. Due to multi-arch requirements and the policy of only allowing binaries built on buildds, this necessitated rebuilding numerous packages across all architectures, leading to a currently large Continuous Integration (CI) queue.
  • Maintainer Responsibilities: Maintainers are explicitly reminded that they are responsible for ensuring their source packages successfully migrate. This includes filing appropriate severity RC bugs if autopkgtest regressions in reverse (test) dependencies block migration.

These updates collectively represent a substantial advancement in Debian's commitment to package quality, security, and the integrity of its build processes, with particular emphasis on the critical aspect of reproducible builds.