Skip to content

Conversation

@spoonincode
Copy link
Contributor

Unfortunately it is no longer possible to build the 1.x pinned/reproducible package from scratch because it is based on Debian 10 which has had its packages removed from Debian's package repo around July 12 (it has been out of support for about a year now).

This moves the build to use Debian's package snapshot repo which contains all prior releases. This was previously plumbed through here (since pinning to exact packages would presumably be even more reproducible), though I had disabled it in the past since the package snapshot repo can be kind of slow.

Taking this approach will ensure no operational changes to any users who are using 1.2.x on an old distribution like Ubuntu 18. Though we didn't actually claim support for these old distributions, so it's not clear how aggressively we should maintain this compatibility. Maybe in 1.3 we could increase the base build to Debian 11 (it already is on our 2.0 branch).

Copy link
Contributor

@linh2931 linh2931 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just keep this way until 2.0 (as 2.0 already changed) so that 1.x users will not see breaking changes.

RUN <<EOF
cat <<EOS > /etc/apt/sources.list
deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/$(date -d @${SOURCE_DATE_EPOCH} +%Y%m%dT%H%M%SZ)/ buster main
deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/$(date -d @${SOURCE_DATE_EPOCH} +%Y%m%dT%H%M%SZ)/ buster/updates main
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While scrutinizing this method some I realized an oversight: This only includes the 'buster' and 'buster security'1. It does not include 'buster-updates'. I probably copied the template from the main https://snapshot.debian.org/ page but that example is for ancient lenny.

I will need to make a small tweak to include 'buster-updates'. Probably no fatal issue to leave it out but it's unrepresentative of what really was released at this given date otherwise.

Footnotes

  1. Which is confusingly the 'buster/updates' suite -- this is probably how I got confused. On Debian 11+ this is more clearly named something like 'trixie-security'.

@spoonincode spoonincode changed the title [?.?.?] use debian's package snapshot repo for old buster packages needed in reproducible build [1.2.3] use debian's package snapshot repo for old buster packages needed in reproducible build Aug 21, 2025
@spoonincode spoonincode marked this pull request as ready for review August 21, 2025 15:52
Copy link
Contributor

@linh2931 linh2931 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the PR title be [1.2.2]?

@spoonincode
Copy link
Contributor Author

Should the PR title be [1.2.2]?

I thought for PRs to a release branch we use the version it will first be released in. Otherwise seems difficult when viewing a list of PRs to remember that something prefixed with 1.2.2 was actually first released in 1.2.3.

That said it's not certain if this will be a 1.2.3 or a 1.2.2-1 sort of thing

@linh2931
Copy link
Contributor

I thought for PRs to a release branch we use the version it will first be released in. Otherwise seems difficult when viewing a list of PRs to remember that something prefixed with 1.2.2 was actually first released in 1.2.3.

That said it's not certain if this will be a 1.2.3 or a 1.2.2-1 sort of thing

Oh, 1.2.3 makes sense then.

@spoonincode spoonincode linked an issue Aug 25, 2025 that may be closed by this pull request
@spoonincode spoonincode merged commit 0d5bb99 into release/1.2 Aug 25, 2025
39 of 51 checks passed
@spoonincode spoonincode deleted the bustersnapshot_12 branch August 25, 2025 17:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

reproducible builds failing when built from scratch

4 participants