Debian tarqatmalari uchun takrorlanadigan paketlar talabi kuchaymoqda

Debian operatsion tizimi dunyodagi eng katta ochiq manba Linux distributivlaridan biri bo'lib, millionlab foydalanuvchilarga barqaror va xavfsiz muhitni taqdim etadi. Hozirgi paytda Debian hamjamiyati paketlarning takrorlanadigan (reproducible) bo'lishini majburiy qilishga intilmoqda. Bu tashabbus paket yaratish jarayonini yanada oshkora, xavfsiz va ishonchli qilishga qaratilgan.

Takrorlanadigan paketlar nima?

Takrorlanadigan paket – bu bir xil manba kodi, bir xil qurilish muhitida va bir xil parametrlar bilan har safar bir xil binar faylni (paketni) yaratadigan jarayon. Boshqacha qilib aytganda, biror dasturiy ta'minotni qayta qurish natijasida har doim bir xil natija olinadi. Bu xususiyat quyidagi afzalliklarni taqdim etadi:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

We're about half-way the forky release cycle and we'd like to update you on a
small step in code, but a giant leap in commitment.

Reproducibility
===============

Aided by the efforts of the Reproducible Builds project [1], we've decided it's
time to say that Debian must ship reproducible packages. Since yesterday, we
have enabled our migration software to block migration of new packages that
can't be reproduced [2] or existing packages (in testing) that regress in
reproducibility.


Testing binNMUs
===============

Earlier this year, functionality was added to the migration software to run
autopkgtests for binNMUs, just like we do for source-full uploads. While this
is probably not very relevant for the work of most maintainers, it is another
step in quality assurance.


loong64
=======

Two weeks ago, a new architecture was added to the archive: loong64
[3]. Because we only allow binaries built on the buildds to migrate and because
of multi-arch requirements, we had to rebuild quite a few packages on all
architectures. Because of the new binNMU functionality mentioned above, this
means that the CI queue is currently rather big. Please exercise a bit of
patience.


Post-upload follow-up
=====================

It is the responsibility of the uploader of a source package to ensure that it
migrates. That means that if your package is blocked by autopkgtest regressions
in reverse (test) dependencies, which need updating, we expect you to file the
appropriate bugs (severity RC).


Greetings from Hamburg, on behalf of the Release Team
Paul

[1] https://reproducible-builds.org/
[2] on https://reproduce.debian.net/
[3] https://wiki.debian.org/Ports/loong64


-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEG5OTVaxMNcrfvXOcBqMo4AxqzhUFAmoADNUACgkQBqMo4Axq
zhXwrBAAgWf2yAFIc1hxGHGRb+KFfaBZP9x3UufEdClJo3n0VSVYms16/WEpsGMj
u0FISml/Dzf4hJjxwrHgKvK8tdEVtdcmeN0LuyxXFas1Wpi9B/0eGnrEO/wzgoN5
3xZ8Hdnm8fyVPgUReXWm0aGz8FsAYFTmB6LxQYD6CiPj4pb0R30PLZmFd11UOMYf
CuIi3DM89hiqV3pFsI6JZPaGCDp+VpvwIynQHwVvUZEBLsQKrBhNMCVlObFcv7R4
gqTi9FlXC0+eaxLRAmfcFaH0deA4L2ivR9jZnFmZW2qYCRZOe1o6tHRwB03Sk0Do
l/oJ6IZmxGYJwdzJBSVODmDuMfkfXghSSca1ZEDrkpxKRYARAAfClLL1UEhqG//Y
9p6pEPY3RlaDmhdKUQcqmK92Jc0XPI1feDfJTb9QvppI/kmXwDJTLopz+gnjQECK
ub0jGRdikicoedAaFdYDWMgQD2PFW6ed5klKAR3SaugFCcvJyy4afel0bU8QSphi
QKt0amymW7bPRz1yJlmwxa+f6xrHEvRDfNY7mTxRgluIt9yX61PwXEy6YAGNjcz/
UShCV23OqcKGHa2KjybVB/3VOB09BC8L5ppir6ylhT/uPLGBxMDFUkBL4GcAjt5l
oI2u3G0jEBMo6fTV8cWGWNvh8NMR00hUluBzG0kI9zvoDpO7iIc=
=7DZT
-----END PGP SIGNATURE-----

• Xavfsizlik: Binar faylni manba kodi bilan taqqoslash osonlashadi, shu bilan birga potentsial backdoor yoki manipulyatsiya aniqlanadi.
• Islomiy qadriyatlar: Ochiqlik va adolat tamoyillariga mos keladi, chunki har bir foydalanuvchi paketni tekshirish imkoniga ega bo'ladi.
• Sifat nazorati: Qurilish jarayonidagi xatoliklar va tasodifiy farqlar kamayadi, shu bilan birga paketlar barqaror bo'ladi.
• Qayta ishlab chiqarish: Arxivlangan paketlarni kelajakda ham qayta yaratish va tekshirish mumkin bo'ladi.

Nega Debian buni majburiy qilishni o'ylamoqda?

Debian hamjamiyati bir necha yillik tajribaga asoslanib, takrorlanadigan paketlar texnik jihatdan amalga oshirilganligini ko'rsatdi. Ammo hozirgi kunda ham ko'plab paketlar hali ham non-reproducible holatda. Bu esa quyidagi muammolarni keltirib chiqaradi:

• Qurilish muhitidagi kichik farqlar (masalan, vaqt zonasining farqi, fayl tizimi tartibi) binar faylni o'zgartiradi.
• Qurilish jarayonida tasodifiy ma'lumotlar (masalan, vaqt tamg'asi, UUID) qo'shilishi mumkin.
• Ba'zi paketlar maxsus skriptlar yoki konfiguratsiyalar tufayli har safar boshqacha natija beradi.

Bu holatlarni bartaraf etish uchun Debian "Reproducible Builds" loyihasini qo'llab-quvvatlaydi va paket mualliflarini standartlarga moslashtirishga chaqiradi.

Qanday choralar ko'rilmoqda?

Debian jamiyati quyidagi amallarni amalga oshiradi:

• Standartlashtirilgan qurilish muhitini yaratish: buildinfo va source fayllarini bir xil parametrlar bilan ta'minlash.
• Qurilish jarayonini avtomatlashtirish: dpkg-buildpackage va debuild kabi vositalar yordamida tasodifiy ma'lumotlarni olib tashlash.
• Tekshirish vositalarini joriy etish: reprotest, diffoscope kabi dasturlar yordamida paketlar orasidagi farqlarni aniqlash.
• Hamjamiyatni o'qitish: Dasturchilar va paket maintainerlariga maxsus qo'llanmalar, vebinarlar va workshoplar tashkil etish.

Debian foydalanuvchilari va ishlab chiquvchilarga ta'siri

Takrorlanadigan paketlar majburiy bo'lganda, foydalanuvchilar quyidagilarni kutishadi:

• Yuqori darajadagi xavfsizlik – har bir paketni manba kodi bilan tasdiqlash osonlashadi.
• Yaxshi barqarorlik – paketlar orasidagi kutilmagan farqlar kamayadi, tizim yangilanishlari silliq o'tadi.
• Ko'proq ishonch – korporativ va hukumat mijozlari Debianni tanlashda qo'shimcha kafolatga ega bo'ladi.

Shuningdek, ishlab chiquvchilar uchun bu yangi talab bir oz qo'shimcha ishni talab qiladi, lekin uzun muddatda kod sifatini oshiradi va qo'llab-quvvatlash xarajatlarini kamaytiradi.

Kelajakda nimalar kutilmoqda?

Debianning takrorlanadigan paketlar siyosati bir necha bosqichda amalga oshiriladi. Dastlab, muhim paketlar ro'yxati tuziladi va ular uchun maxsus testlar o'tkaziladi. Keyinchalik, barcha paketlar uchun avtomatik test tizimi joriy qilinadi. Yakuniy bosqichda, takrorlanmagan paketlar Debian arxividan chiqariladi yoki mualliflariga qayta ko'rib chiqish taklif qilinadi.

Bu tashabbus nafaqat Debian, balki butun Linux ekotizimiga namuna bo'lib, boshqa distributivlar ham takrorlanadigan qurilish standartlarini qabul qilishga undaydi.

Umuman olganda, takrorlanadigan paketlar Debianni yanada ishonchli, xavfsiz va adolatli platformaga aylantiradi – bu esa foydalanuvchilar, ishlab chiquvchilar va butun jamiyat uchun foydali bo'ladi.