The Debian release team has announced that it is making reproducible builds of packages a mandatory feature. In a recent update, changes were implemented in the build system to prevent the inclusion of new packages in the repository that do not support reproducible builds. Additionally, updates for existing packages in the testing repository will be blocked if they show any regressions in build reproducibility.
In Debian 13, which consists of 36,427 source packages, the support for reproducible builds stands at 96.9% for the x86_64 architecture and 96.8% for the ARM64 architecture. Testing repositories in Debian show that the estimated reproducible build rate is 94.5% for the ARM64 architecture and 75.7% for x86_64 from a sample of 37,809 source packages. Out of these, 1,141 packages (3%) failed the reproducible builds test, and 7,952 packages (21%) had general issues when compiled from source.
Reproducible builds enable users to create identical binaries to the ones provided for download, ensuring transparency in the software supply chain. Users can verify that the binaries are compiled from the provided source code without any hidden alterations. This eliminates the need to trust the distribution’s assembly infrastructure entirely, as compromised compilers could introduce malicious changes.
When striving for reproducible builds, factors such as precise dependency matching, consistent tool versions, identical compilation options, and maintaining file order become essential. Disabling non-essential information like random values or timestamps from the compilation process is crucial for achieving reproducibility. However, challenges such as tooling bugs and race conditions can still impact the reproducibility of builds.