[Dev] Reproducible Builds

Luke Shumaker lukeshu at lukeshu.com
Sun Apr 9 04:58:53 GMT 2017

On Sat, 08 Apr 2017 06:52:58 -0400,
Bill Auger wrote:
> id like to clarify a bit what i think are some mis-conceptions
> expressed yesterday in the IRC channel regarding reproducible builds

Hi Bill,

The first step is that we simply need better tracking of exactly what
source is being used to produce a package--we have a real deficiency
here introduced when we ditched Arch's SVN-based tooling for git.

I expect to publish a new release of libretools in the next week will
resolve this build-side.

After that, where the information goes after it is uploaded has a few
unresolved questions.  While I'm not giving up on PBS as a long-term
solution, I believe that an MVP/POC can be worked out very quickly
with some minimal changes to dbscripts.

This is really a prerequisite to beginning any real work on R-B.

> a jenkins server is not a requirement for this task - there is no
> standard procedure or tooling to achieve reproducibility - the
> jenkins integration is for the reproducible-builds.org CI server to
> demonstrate that packages can be built and verified by a third-party
> - for the actual work each distro is free to use whatever procedure
> and tools suits them for the plainly speaking general goal of making
> their builds reproducible

I do think that borrowing/building on the work that has been done for
the tests.R-B.org/archlinux server is a good idea.  I'm not sure
Jenkins itself is entirely necessary though; it seems a little
heavyweight for what is a pretty simple task. (Well, there are several
complicated bits of the task, but they aren't the parts addressed by

> that being said - the jenkins integration is already done - arch has
> been working with them for some time and arch packages are already
> building on the "reproducible-builds" CI server

It's currently a TODO item on the Arch jenkins to use disorderfs.
This is definitely a requirement for me.

Who runs that server?  Is it donated by anthraxx, the R-B team, or
someone else?

>                                                 - also to be clear
> they are not the AUR packages but the official arch packages - the
> next major step forward for arch and parabola is to patch pacman to
> reproduce and verify builds - ive been told that this patch is
> completed and nearly ready to be implemented widely

There are deficiencies in anthraxx's code; I've posted a review of it:

I've also mostly completed it--we have a tool `librefetch` which at
runtime creates a patched copy of makepkg that produces reproducible
tarballs; most of that can be re-used (we'll just have to apply the
changes to the version supplied in the main `pacman` package).

> so there are no major technical blocks to begin - the first step for
> parabola is to address the TODO: items on the wiki article -

> > 2.2 make pacman produce reproducible builds
> >
> > this task is mostly completed - arch developer 'anthraxx' 

See above.

> anthraxx and the reproducible-builds team are eager to work with
> parabola once some planning, competency, and/or current efforts are
> demonstrated publicly
> https://wiki.parabola.nu/Reproducible_Builds

Happy hacking,
~ Luke Shumaker

More information about the Dev mailing list