[Dev] Reproducible builds from ARCH

Denis 'GNUtoo' Carikli GNUtoo at no-log.org
Sat Apr 9 08:37:48 GMT 2016


I noticed that arch now has a page at reproducible-builds.org:

However every single packages fails, including simple shell scripts like
keychain which has only 2 files:
% pacman -Q -l keychain
keychain /usr/bin/keychain
keychain /usr/share/man/man1/keychain.1.gz

% file /usr/bin/keychain
/usr/bin/keychain: POSIX shell script, ASCII text executable, with
escape sequences

Comparing the package content shows some issue:
- .PKGINFO encodes the build date
- .BUILDINFO encodes all the system's packages at build time.
- .MTREE also encodes time.  

Also, makepkg (available in the pacman package) uses bsdtar, given the
issues above, I could not test if it worked.

I remember from a previous conversation on this list that uploaders
are supposed to use a chroot to build the package.

- Is there any tool that automatize building with the chroot? What
  uploaders typically build packages?
- Where is the work on making arch reproducible going on? Do they have
  mailing list specially for it? or should patches be sent directly to
  the given tool (like pacman).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.parabola.nu/pipermail/dev/attachments/20160409/c7ea1657/attachment.sig>

More information about the Dev mailing list