Don't just vendor - rebuild the ecosystem and persuade the vendor to work on software management ...

Posted Jan 29, 2025 19:23 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
In reply to: Don't just vendor - rebuild the ecosystem and persuade the vendor to work on software management ... by bluca
Parent article: Vendoring Go packages by default in Fedora

Nope. Debian and Fedora are still not fully reproducible for any reasonable installation. C/C++ build systems require careful dance to make them deterministic, while Go provides that out-of-the box.

Don't just vendor - rebuild the ecosystem and persuade the vendor to work on software management ...

Posted Jan 29, 2025 19:35 UTC (Wed) by bluca (subscriber, #118303) [Link]

The "careful dance" in 90% of the cases is setting the SOURCE_DATE_EPOCH and the build path to a fixed value. The is a long tail of unreproducible packages left in Debian, but it is absolutely not just because of C. Loads of those are due to either toolchain issues in LTO which affect all languages gcc supports (in fact one of the most gnarly repro issue left in gcc/binutils is when mixing static linking and LTO), or things like sphinx documentation. I mean this stuff is well documented and with lots of data, so not sure why there's any need to make stuff up.

https://tests.reproducible-builds.org/debian/reproducible...