[users at bb.net] debian packages?

Dan Kegel dank at kegel.com
Wed Feb 28 04:09:20 UTC 2018

On Tue, Feb 27, 2018 at 7:39 PM, Charles Lepple <clepple at gmail.com> wrote:
> It is possible to get some level of reproducibility by
> pinning the versions that you grab from PyPI, but then it's turtles all the
> way down with the dependencies.

Good point.  One of my goals is to make every build produce identical
output given identical input, and you simply cannot do that with dynamic
third party repos.    With a local mirror of a debian-based distro, you
have complete control over updates, and thanks to
https://reproducible-builds.org/ we have a shot at actually achieving
bit-for-bit identical output, each and every time, regardless of machine
doing the build.  And that is good for security.
- Dan

More information about the users mailing list