Build yourself - free-pmx

Build yourself

Package contents

The directory bearing the <package> name in the root of the working tree holds the actual package payload. There is no compiled code. Some files are compressed. All the information is contained within - more details are covered in the Debian package audit post.

Build

The package can be assembled with no build dependencies from within the contents directory:

dpkg-deb --build --root-owner-group . self-built.deb

Verifiability

Reproducible build - one that results in a binary-identical .deb file - is possible by recreating the original environment.

File permissions

ensure umask 0022 is set prior to git clone (or more precisely, checkout); or
alternatively set correct file permissions with source .permsrc thereafter.

Build metadata

Source <package>.buildmeta file - there is exactly one - and export environment variables for dpkg-deb:

source *.buildmeta
export SOURCE_DATE_EPOCH DPKG_DEB_COMPRESSOR_TYPE

Expected checksum and published package URL are available through further environment variables:

DEB_SHA256 - expected .deb file checksum value; and
DEB_URL - URL of the published package.

Correctly reproduced build results in a matching checksum, also identical to that of the published package.

Tip

See also public reproducible build in the supply chain security subsection.

Debian package audit Security