Posted the debian-devel-announce link calling for Debian to mandate that all packages shipped in stable releases must be reproducible. The choice of debian-devel-announce — reserved for formal project communications — signals this is an actionable policy proposal, not aspirational discussion.
Argues that the announcement appearing on debian-devel-announce rather than the general discussion list is significant: reproducible builds have crossed from aspiration to actionable policy. Notes that over a decade of infrastructure work by contributors like Chris Lamb, Holger Levsen, and Vagrant Cascadian has brought Debian to 95-97% reproducibility, making a mandate now feasible.
Frames the xz-utils backdoor (CVE-2024-3094) as the decisive validation of the reproducible builds threat model. The editorial argues that if downstream distributors had been independently rebuilding xz-utils and comparing output, the discrepancy between source and binary would have been a red flag — potentially catching the backdoor months earlier. This transformed reproducible builds from a theoretical safeguard into a proven necessity.
Explicitly notes that '95% reproducible in unstable' and '100% reproducible in stable' are separated by a chasm of policy, tooling, and political will. While the technical infrastructure exists at tests.reproducible-builds.org, mandating full compliance for a stable release means every remaining non-reproducible package becomes a blocking issue — a fundamentally different challenge than incremental improvement.
A post to debian-devel-announce — Debian's moderated, official announcements list — has called for Debian to mandate that all packages shipped in stable releases must be reproducible. The title leaves no room for interpretation: "Debian must ship reproducible packages."
This isn't a mailing list hot take. debian-devel-announce is reserved for formal project communications: release announcements, policy changes, General Resolution results, and DPL statements. A post here carries institutional weight. The fact that this appeared on debian-devel-announce rather than the general discussion list signals that reproducible builds have crossed from aspiration to actionable policy.
The Debian reproducible builds effort has been running since roughly 2013 — over a decade of methodical, often thankless infrastructure work. Contributors like Chris Lamb (former DPL), Holger Levsen, Mattia Rizzolo, and Vagrant Cascadian have built a continuous verification system at `tests.reproducible-builds.org` that rebuilds every package twice under varied conditions and compares the output. The results are impressive: approximately 95-97% of packages in Debian unstable now produce bit-for-bit identical binaries across independent builds.
But "95% reproducible in unstable" and "100% reproducible in stable" are separated by a chasm of policy, tooling, and political will.
### The Supply Chain Argument Won
Two years ago, the xz-utils backdoor (CVE-2024-3094) demonstrated exactly the threat model that reproducible builds are designed to counter. A sophisticated attacker spent years gaining maintainer trust, then injected a backdoor that was present in build artifacts but effectively invisible in the source repository's casual review. If downstream distributors had been independently rebuilding xz-utils and comparing output, the discrepancy between source and binary would have been a giant red flag — potentially catching the backdoor months earlier.
The xz incident wasn't theoretical. It hit Debian testing and unstable, and it nearly landed in a stable release. Since then, the "reproducible builds are a nice security bonus" framing has collapsed. SLSA (Supply-chain Levels for Software Artifacts), CISA guidance, and the broader post-SolarWinds regulatory push all point the same direction: if you can't independently verify your binaries, your supply chain has an unauditable gap.
### The Last 3-5% Problem
The reason Debian hasn't mandated reproducibility already isn't technical disagreement — almost no one argues against it in principle. The problem is the tail. Roughly 1,000-1,500 source packages out of Debian's 30,000+ still produce non-deterministic output. The causes are well-catalogued:
- Embedded timestamps that survive `SOURCE_DATE_EPOCH` — particularly in build systems that invoke compilers with `__DATE__`/`__TIME__` macros or embed filesystem modification times. - Build path leakage — binaries that encode the absolute directory they were built in, despite GCC's `-ffile-prefix-map` flag. Not all build systems pass these flags correctly. - Non-deterministic archive ordering — tar, zip, and ar archives where file ordering depends on filesystem enumeration order. - Hash map iteration order — Python, Perl, and other runtimes where dictionary iteration is intentionally randomized, producing different output in generated files. - UUIDs and build IDs — tools that generate unique identifiers per build with no option to make them deterministic.
The Pareto distribution here is brutal: the first 95% of reproducibility came from systematic fixes (dpkg patches, `SOURCE_DATE_EPOCH` adoption, `strip-nondeterminism`), but the last 5% requires package-by-package triage. Many of these packages have upstream build systems that the Debian maintainer doesn't control and can't easily patch.
Making non-reproducibility a release-critical bug means someone has to fix or remove those packages before each stable release. That's a real staffing and coordination cost in a volunteer project.
### The `.buildinfo` Infrastructure Gap
There's a subtlety that gets lost in the "just make it reproducible" framing. Reproducibility is only useful if third parties can actually verify builds. That requires `.buildinfo` files — records of the exact build environment (compiler versions, library versions, build flags) — to be publicly archived and accessible.
Debian generates `.buildinfo` files for every upload, but the infrastructure to collect and serve them for independent verification has been fragmented. Chris Lamb ran `buildinfo.debian.net` as a personal project, not as official Debian infrastructure. Mandating reproducible packages without a robust `.buildinfo` archive is like requiring HTTPS certificates but not running a certificate transparency log — you have the mechanism but not the verification. Any serious policy change needs to address this gap.
### If You Run Debian or Ubuntu in Production
This is directly relevant. Debian is Ubuntu's upstream, and Ubuntu powers a significant fraction of cloud workloads. A reproducibility mandate in Debian stable means:
1. Packages that can't be made reproducible may be dropped. If your production stack depends on a niche package that embeds build-time UUIDs, it could become unavailable in future stable releases. Audit your dependency trees now.
2. Build toolchain requirements tighten. If you maintain Debian packages (including internal ones), start testing with `reprotest` and `diffoscope`. Non-reproducible packages in your internal repos will increasingly look like a supply chain liability to auditors.
3. Verification becomes possible. Once reproducibility is guaranteed and `.buildinfo` files are archived, you can independently rebuild any package and verify it matches what the mirror serves. This is a meaningful security property for high-assurance environments.
### If You Maintain Open Source Build Systems
The Debian project has been filing upstream patches for non-deterministic build behavior for a decade. If you maintain a build system (CMake plugin, Gradle plugin, custom code generators), expect more pressure to support `SOURCE_DATE_EPOCH`, deterministic file ordering, and path-independent output. The Reproducible Builds project maintains a comprehensive list of common issues and fixes at `reproducible-builds.org/docs/`.
### If You Care About Software Supply Chain Security
Reproducible builds are the only technical mechanism that lets an independent party verify that a binary was built from a specific source without trusting the builder. Signatures prove who built it; reproducibility proves what they built. SBOMs tell you what's in the box; reproducible builds let you verify the box matches the label. These are complementary, not substitutes.
The SLSA framework lists reproducible builds as the highest level of build integrity (SLSA Build L4, proposed). If Debian — the most widely-used base distribution for server infrastructure — mandates it, that sets a de facto industry expectation.
The 319-point Hacker News response tells you where practitioner sentiment sits: developers want this. The technical groundwork is largely done. The remaining challenge is organizational — deciding that the last 3-5% of packages must comply or be excluded, funding the `.buildinfo` infrastructure, and coordinating with upstream projects that produce non-deterministic build output. Debian has a history of making these kinds of hard calls (the systemd transition, the usr-merge) and eventually getting them right, even when the transition is painful. Reproducible builds have waited a decade for Debian Policy to catch up with Debian practice. The gap is finally closing.
https://wiki.debian.org/ReproducibleBuilds has some more infos; some is outdated, but it also has a chart showing how many packages are built in the CI, and how many of those are reproducible builds.(Orange = FTBR = "failed to build reproducibly")I'm not good at reading
I'm so happy to see this change. I got involved with reproducible builds in 2021 after reading in horror about the SolarWinds attack. [1]I think Magnus Ihse Bursie said it best while working on reproducible builds of OpenJDK: "If you were to ask me, the fact that compilers and build tools
A great milestone, congrats Debian on taking a stance and holding high standards for yourself, especially in the current era.
Good thing. NetBSD has fully reproductible build since 2017. https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_...
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.
This is a huge achievement for Debian and the free software world.It took a while though until this was understood. In 2007 when pointing out on debian-devel that this is needed, I was still told what huge waste of time this would be. And indeed it took a huge amount of work by many people to get th