"Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch."

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 12:48:25 GMT

pbsds@snabelen.no — Wed, 13 May 2026 12:48:25 GMT

@Pol @bagder @gonzo_askold @orpach.neocities.org indeed, "replayable" and "hermetic" are better terms for what Nix provides. Some of the bitwise reproducibility of nixpkgs comes from rigorously defining all build inputs, various patches we apply and default build settings we default to. But the brunt of the work is the massive and steller upstream work of https://reproducible-builds.org/, without which nixpkgs would not even be close to bitwise reproducible

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 12:35:09 GMT

pol@mathstodon.xyz — Wed, 13 May 2026 12:35:09 GMT

@bagder @gonzo_askold @orpach.neocities.org Indeed, Nix greatly increases the chances of producing reproducible packages by controlling the build environment.

That said, it does not magically make the final artefact reproducible. There can still be sources of non-determinism, and we try to track them down as much as possible.

So far, things are going well!

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 11:38:10 GMT

harmone@mastodon.social — Wed, 13 May 2026 11:38:10 GMT

@bagder Wow, that's awesome! Does anyone know if Ubuntu also will force reproducible builds considering that Ubuntu is based on Debian?

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 11:35:17 GMT

allende1973@todon.nl — Wed, 13 May 2026 11:35:17 GMT

@bagder

Does this mean derivatives like Devuan automatically do this too?

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 11:20:25 GMT

andreasio@mastodon.social — Wed, 13 May 2026 11:20:25 GMT

@bagder this is also what fdroid does on Android i i think

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 11:11:22 GMT

domdel@mastodon.social — Wed, 13 May 2026 11:11:22 GMT

@gonzo_askold In fact #Debian and others are reproductible too.
You can visit https://reproducible-builds.org/ to have an idea. When I worked in administration, we have a server with window NT to install via network on 200 same machines.

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 11:03:45 GMT

gonzo_askold@mastodon.social — Wed, 13 May 2026 11:03:45 GMT

@bagder idk what would be practical differences between these two systems and how one or the other would be more secure against supply chain attacks or other mitms

would be pretty interested in some reference materials

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 11:03:42 GMT

bryanbennett@tilde.zone — Wed, 13 May 2026 11:03:42 GMT

@gonzo_askold: this isn't true, as some builds embed things like the timestamp and build hostname in the artifacts. Nix sets some notion of the timestamp to epoch to account for this, but cannot fix every impurity everywhere (maven builds are notoriously finnicky, for instance).

Nix is great at this, but somewhat suffers from embracing the package without submitting the changes it makes to the package upstream. Because nix is so flexible (and doesn't always have the pull that Debian does with packagers), i believe nix has been less influential here than you would hope.

This change from Debian is awesome as we will all benefit from the fixes.

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 10:58:30 GMT

bagder@mastodon.social — Wed, 13 May 2026 10:58:30 GMT

@gonzo_askold I'm only pointing out the difference, I'm not suggesting nix did anything bad or wrong.

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 10:58:19 GMT

nim@mastodon.tetaneutral.net — Wed, 13 May 2026 10:58:19 GMT

@gonzo_askold @bagder sadly, that is not the case.
There are many corner cases, but the simplest example is "yes all your dependencies are reproducible, but you decide to `cat /dev/random > $PREFIX/my-seed`" or whatever.

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 10:58:11 GMT

gonzo_askold@mastodon.social — Wed, 13 May 2026 10:58:11 GMT

@domdel maybe I want there at that time

quick search of "net install reproducible" yields only dotnet stuff

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 10:55:24 GMT

domdel@mastodon.social — Wed, 13 May 2026 10:55:24 GMT

@gonzo_askold @orpach.neocities.org @bagder About reprocductibility, net install was there before ...

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 10:53:42 GMT

gonzo_askold@mastodon.social — Wed, 13 May 2026 10:53:42 GMT

@bagder

I'm not that knowledgeable about inside workings, but in theory (in my head) hashing all inputs does equate to byte-to-byte reproducibility, even if previous steps in the build process weren't written specifically to be reproduced

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 10:51:16 GMT

nim@mastodon.tetaneutral.net — Wed, 13 May 2026 10:51:16 GMT

@bagder @gonzo_askold @orpach.neocities.org yes, https://reproducible-builds.org/ also apply to nix : https://reproducible.nixos.org/
there was 100% on minimal iso in december, but there is no hard constraint on the whole 100k+ package set from nixkpgs

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 10:47:45 GMT

seharinsights@mastodon.social — Wed, 13 May 2026 10:47:45 GMT

@bagder it’s been 3 days and your post is still trending… what a great motto.”

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 10:47:02 GMT

bagder@mastodon.social — Wed, 13 May 2026 10:47:02 GMT

@gonzo_askold @orpach.neocities.org sure, but nix has still included packages that not in themselves were done reproducible I'm pretty sure.

Reply to "Packages that can't be rebuilt byte-for-byte are now blocked from entering Debian's testing branch." on Wed, 13 May 2026 10:23:20 GMT

gonzo_askold@mastodon.social — Wed, 13 May 2026 10:23:20 GMT

@orpach.neocities.org @bagder

#nixos is somewhat of pioneer in the space of reproducible builds and is 20 years old