> PS. I fear that Debian main may have already went into a state where it is not able to rebuild itself at all anymore: the presence and assumption of non-free firmware and non-Debian signed binaries may have already corrupted the ability for Debian main to rebuild itself. To be able to complete the idempotent and bootstrapped rebuild of Debian, this needs to be worked out.<p>Are any nonfree packages used as build inputs? If not, just ("just") bootstrap guix on a blobless platform, and cross build Debian from that
As an alternative to Guix with a much more strict supply chain security policy, consider: <a href="https://stagex.tools/" rel="nofollow">https://stagex.tools/</a>
> How big is N today? The simplest assumption is that it is infinity. Any build timestamp embedded into binary packages will change on every iteration. This will cause the process to never terminate. Fixing embedded timestamps is something that the Reproduce.Debian.Net effort will also run into, and will have to resolve.<p>This was addressed by the Debian reproducible build project years ago. We’re down to 2.2% of packages that are not reproducible. Even if this uses a different definition, it certainly means that the majority of packages do not have a build timestamp problem.<p>I’m struggling to make sense of this article and I’m a Debian Developer. I think part of the problem might be that the author isn’t aware of the huge progress Debian has already made in this area over many years.