Search Results: "leamas"

15 September 2017

Chris Lamb: Which packages on my system are reproducible?

Whilst anyone can inspect the source code of free software for malicious flaws, most software is distributed pre-compiled to end users. The motivation behind the Reproducible Builds effort is to allow verification that no flaws have been introduced either maliciously or accidentally during this compilation process. As part of this project I wrote a script to determine which packages installed on your system are "reproducible" or not:
$ apt install devscripts
[ ]
$ reproducible-check
[ ]
W: subversion (1.9.7-2) is unreproducible (libsvn-perl, libsvn1, subversion) <>
W: taglib (1.11.1+dfsg.1-0.1) is unreproducible (libtag1v5, libtag1v5-vanilla) <>
W: tcltk-defaults (8.6.0+9) is unreproducible (tcl, tk) <>
W: tk8.6 (8.6.7-1) is unreproducible (libtk8.6, tk8.6) <>
W: valgrind (1:3.13.0-1) is unreproducible <>
W: wavpack (5.1.0-2) is unreproducible (libwavpack1) <>
W: x265 (2.5-2) is unreproducible (libx265-130) <>
W: xen (4.8.1-1+deb9u1) is unreproducible (libxen-4.8, libxenstore3.0) <>
W: xmlstarlet (1.6.1-2) is unreproducible <>
W: xorg-server (2:1.19.3-2) is unreproducible (xserver-xephyr, xserver-xorg-core) <>
282/4494 (6.28%) of installed binary packages are unreproducible.
Whether a package is "reproducible" or not is determined by querying the Debian Reproducible Builds testing framework.

The --raw command-line argument lets you play with the data in more detail. For example, you can see who maintains your unreproducible packages:
$ reproducible-check --raw   dd-list --stdin
Alec Leamas <>
   lirc (U)
Alessandro Ghedini <>
Alessio Treglia <>
   fluidsynth (U)
   libsoxr (U)
[ ]

reproducible-check is available in devscripts since version 2.17.10, which landed in Debian unstable on 14th September 2017.