Beyond Reproducible Builds: Towards Idempotent Rebuilds of Debian
This article explores a new goal beyond reproducible builds for Debian packages: idempotent rebuilds. The author argues that simply reproducing published packages using older build dependencies (as done by the Reproduce.Debian.net project) is insufficient, as it relies on old binary packages that cannot be rebuilt from source. Therefore, the author proposes the concept of idempotent rebuilds, where iterative rebuilding eventually leads to a state where the rebuilt packages are identical to the previous iteration. This requires addressing issues like build timestamps and non-deterministic outputs. The author has completed stage 0 of the rebuild and plans to release the build artifacts for stage 1, with the ultimate goal of being able to bootstrap a Debian binary distribution from an environment like Guix. Challenges include the presence of non-free firmware and non-Debian signed binaries which might prevent self-rebuilding.