[Dev] Reproducible Builds
lukeshu at lukeshu.com
Sun Apr 9 04:58:53 GMT 2017
On Sat, 08 Apr 2017 06:52:58 -0400,
Bill Auger wrote:
> id like to clarify a bit what i think are some mis-conceptions
> expressed yesterday in the IRC channel regarding reproducible builds
The first step is that we simply need better tracking of exactly what
source is being used to produce a package--we have a real deficiency
here introduced when we ditched Arch's SVN-based tooling for git.
I expect to publish a new release of libretools in the next week will
resolve this build-side.
After that, where the information goes after it is uploaded has a few
unresolved questions. While I'm not giving up on PBS as a long-term
solution, I believe that an MVP/POC can be worked out very quickly
with some minimal changes to dbscripts.
This is really a prerequisite to beginning any real work on R-B.
> a jenkins server is not a requirement for this task - there is no
> standard procedure or tooling to achieve reproducibility - the
> jenkins integration is for the reproducible-builds.org CI server to
> demonstrate that packages can be built and verified by a third-party
> - for the actual work each distro is free to use whatever procedure
> and tools suits them for the plainly speaking general goal of making
> their builds reproducible
I do think that borrowing/building on the work that has been done for
the tests.R-B.org/archlinux server is a good idea. I'm not sure
Jenkins itself is entirely necessary though; it seems a little
heavyweight for what is a pretty simple task. (Well, there are several
complicated bits of the task, but they aren't the parts addressed by
> that being said - the jenkins integration is already done - arch has
> been working with them for some time and arch packages are already
> building on the "reproducible-builds" CI server
It's currently a TODO item on the Arch jenkins to use disorderfs.
This is definitely a requirement for me.
Who runs that server? Is it donated by anthraxx, the R-B team, or
> - also to be clear
> they are not the AUR packages but the official arch packages - the
> next major step forward for arch and parabola is to patch pacman to
> reproduce and verify builds - ive been told that this patch is
> completed and nearly ready to be implemented widely
There are deficiencies in anthraxx's code; I've posted a review of it:
I've also mostly completed it--we have a tool `librefetch` which at
runtime creates a patched copy of makepkg that produces reproducible
tarballs; most of that can be re-used (we'll just have to apply the
changes to the version supplied in the main `pacman` package).
> so there are no major technical blocks to begin - the first step for
> parabola is to address the TODO: items on the wiki article -
> > 2.2 make pacman produce reproducible builds
> > this task is mostly completed - arch developer 'anthraxx'
> anthraxx and the reproducible-builds team are eager to work with
> parabola once some planning, competency, and/or current efforts are
> demonstrated publicly
~ Luke Shumaker
More information about the Dev