Debian must ship reproducible packages

原始链接: https://lists.debian.org/debian-devel-announce/2026/05/msg00001.html

Hacker Newsnew | past | comments | ask | show | jobs | submitloginDebian must ship reproducible packages (debian.org)20 points by robalni 1 hour ago | hide | past | favorite | 3 comments help blueflow 14 minutes ago [–] zero improvement on end-user experience. does not solve supply chain issues, debian package will reproducabily contain the malware from upstream.replyrlpb 9 minutes ago | parent [–] Debian has had a better "software supply chain" posture than any other player in the ecosystem since before the turn of the century. While we all face the risk of malware from upstream, Debian is the least at risk of being affected by it. See for example the stream of issues from npm et al. None of it has affected Debian.replyalkindiffie 5 minutes ago | root | parent [–] > for example the stream of issues from npm et al.Curious, what distros where affected by npm supply chain attacks?reply Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact Search:

原文

bits from the release team

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

We're about half-way the forky release cycle and we'd like to update you on a
small step in code, but a giant leap in commitment.

Reproducibility
===============

Aided by the efforts of the Reproducible Builds project [1], we've decided it's
time to say that Debian must ship reproducible packages. Since yesterday, we
have enabled our migration software to block migration of new packages that
can't be reproduced [2] or existing packages (in testing) that regress in
reproducibility.


Testing binNMUs
===============

Earlier this year, functionality was added to the migration software to run
autopkgtests for binNMUs, just like we do for source-full uploads. While this
is probably not very relevant for the work of most maintainers, it is another
step in quality assurance.


loong64
=======

Two weeks ago, a new architecture was added to the archive: loong64
[3]. Because we only allow binaries built on the buildds to migrate and because
of multi-arch requirements, we had to rebuild quite a few packages on all
architectures. Because of the new binNMU functionality mentioned above, this
means that the CI queue is currently rather big. Please exercise a bit of
patience.


Post-upload follow-up
=====================

It is the responsibility of the uploader of a source package to ensure that it
migrates. That means that if your package is blocked by autopkgtest regressions
in reverse (test) dependencies, which need updating, we expect you to file the
appropriate bugs (severity RC).


Greetings from Hamburg, on behalf of the Release Team
Paul

[1] https://reproducible-builds.org/
[2] on https://reproduce.debian.net/
[3] https://wiki.debian.org/Ports/loong64


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEG5OTVaxMNcrfvXOcBqMo4AxqzhUFAmoADNUACgkQBqMo4Axq
zhXwrBAAgWf2yAFIc1hxGHGRb+KFfaBZP9x3UufEdClJo3n0VSVYms16/WEpsGMj
u0FISml/Dzf4hJjxwrHgKvK8tdEVtdcmeN0LuyxXFas1Wpi9B/0eGnrEO/wzgoN5
3xZ8Hdnm8fyVPgUReXWm0aGz8FsAYFTmB6LxQYD6CiPj4pb0R30PLZmFd11UOMYf
CuIi3DM89hiqV3pFsI6JZPaGCDp+VpvwIynQHwVvUZEBLsQKrBhNMCVlObFcv7R4
gqTi9FlXC0+eaxLRAmfcFaH0deA4L2ivR9jZnFmZW2qYCRZOe1o6tHRwB03Sk0Do
l/oJ6IZmxGYJwdzJBSVODmDuMfkfXghSSca1ZEDrkpxKRYARAAfClLL1UEhqG//Y
9p6pEPY3RlaDmhdKUQcqmK92Jc0XPI1feDfJTb9QvppI/kmXwDJTLopz+gnjQECK
ub0jGRdikicoedAaFdYDWMgQD2PFW6ed5klKAR3SaugFCcvJyy4afel0bU8QSphi
QKt0amymW7bPRz1yJlmwxa+f6xrHEvRDfNY7mTxRgluIt9yX61PwXEy6YAGNjcz/
UShCV23OqcKGHa2KjybVB/3VOB09BC8L5ppir6ylhT/uPLGBxMDFUkBL4GcAjt5l
oI2u3G0jEBMo6fTV8cWGWNvh8NMR00hUluBzG0kI9zvoDpO7iIc=
=7DZT
-----END PGP SIGNATURE-----

Reply to: