Ubuntu and Reproducible Builds – Compatibility Guide


In a comment on the question Does Ubuntu deliberately contaminate its binaries to help NSA?, Jorge Castro notes that debian is thinking about working with reproducible builds. They state

Why do we want reproducible builds?

  1. Independent verifications that a binary matches what the source intended to produce.
  2. Help Multi-Arch: same packages co-installation (as they need every matching file to be byte identical).
  3. Be able to generate debug symbols for packages which do not have a “debug package”.
  • Is there any indication that Ubuntu plans on implementing reproducible builds as well?

Best Answer

(This is a copy of my answer on ubuntu-devel.)

With very few exceptions, nearly all of Debian's work on this will just be going into the packages that form part of the package build toolchain, and as such Ubuntu will inherit it over the natural course of merging and syncing packages from Debian. The possible exceptions are things like the proposed libfaketime etc. preloads that we might insert into builds; I'd certainly be keen to keep up to date with things Debian does in this area, not just to protect against intrusion but also because there are immediate practical benefits to doing so (safer multiarch handling).

I'm not aware that this has been specifically discussed within Canonical, mostly because most of the relevant people are pretty heads-down working on the Ubuntu Touch product at the moment; but I also think there's work to be done in Debian first before we pick anything up.