Reproducibility, in Debian, is:
With free software, anyone can inspect the source code for malicious flaws. But Debian provide binary packages to its users. The idea of “deterministic” or “reproducible” builds is to empower anyone to verify that no flaws have been introduced during the build process by reproducing byte-for-byte identical binary packages from a given source.
Then, in order to provide reproducible binaries to Vala projects we need:
- Make sure you distribute generated C source code
- If you are a library, make sure to distribute VAPI and GIR files
This will help build process to avoid call valac in order to generate C source code, VAPI and GIR files from your Vala sources.
Because C source is distributed with a release’s tarball, any Vala project could be binary reproducible from sources.
In order to produce development packages, you should distribute VAPI and GIR files, along with .h ones. They should be included in your tarball, to avoid valac produce them.
GXml distribute all their C sources, but not GIR and VAPI files. This should be fixed next release.
GNOME Clocks distributes just Vala sources; this is why bug #772717 against Clocks, has been filed.
libgee distributes Vala sources also, but no Debian bug exists against it. May be its Vala source annotations helps, but may is a good idea to distribute C, VAPI and GIR files in future versions.
My patches to GNOME Builder, produce Makefiles to generate C sources form Vala ones. They require to be updated in order to distribute VAPI and GIR files with your Vala project.