heise PlusAbo

Debian 14: Reproducible builds become mandatory

For Debian 14, packages must be reproducible to get to "testing". The release team has tightened the rules.

listen Print view
The Debian logo with a red swirl and the word "debian" below it.

(Image: heise medien)

2 min. read
iX Magazin
By
Contents

For the upcoming version 14 (“Forky”), Debian is significantly tightening its quality requirements: packages will only be allowed to move to “testing” if they can be built reproducibly. This was announced by the Debian release team. The corresponding migration logic is already active. It affects both new packages that cannot be reproduced and existing packages whose reproducibility has deteriorated.

What reproducible builds achieve

Reproducible packages generate bit-identical binary packages from identical source code and in the same build environment. This makes build processes traceable and tamper-proof. Differences between two builds can thus be clearly traced back to actual changes or possible manipulations.

Non-reproducible builds often arise from trivial factors: timestamps, random build IDs, or a non-deterministic order of files. Two builds of the same source code can thus produce different binary files, even though nothing has functionally changed. Reproducible builds systematically eliminate such differences, for example, through standardized timestamps or deterministic packaging.

From quality goal to release requirement

Debian has been working with the Reproducible Builds project on corresponding mechanisms for years. What's new is that reproducibility is no longer just a quality goal but directly determines the package migration to “testing.” This effectively makes reproducible builds a prerequisite for the regular release process. The current reproducibility status of all packages is listed on reproduce.debian.net.

Videos by heise

In parallel, Debian is expanding its automated tests. According to the release team, the CI infrastructure now also automatically checks so-called binNMUs with autopkgtests. These are pure recompilations of binary packages without changes to the source code, for example, after ABI transitions or new library versions. Until now, the focus of the tests was mainly on classic source uploads.

Longer queues due to loong64

The new loong64 architecture is currently causing longer queues in Debian's build and test infrastructure. Because many packages had to be rebuilt on all architectures and Debian now also checks binNMUs via autopkgtest, the migration to “testing” is currently taking longer.

At the same time, Debian reminds maintainers that they remain responsible for the successful migration of their packages to “testing.” If failed autopkgtests in reverse dependencies block the migration, maintainers should report corresponding release-critical bugs.

Read also

(fo)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten