[Dev] Reproducible Builds

Bill Auger mr.j.spam.me at gmail.com
Sun Apr 9 08:32:34 GMT 2017

On Sun, Apr 9, 2017 at 12:58 AM, Luke Shumaker <lukeshu at lukeshu.com> wrote:
> I do think that borrowing/building on the work that has been done for
> the tests.R-B.org/archlinux server is a good idea.  I'm not sure
> Jenkins itself is entirely necessary though; it seems a little
> heavyweight for what is a pretty simple task.

i think there is still a mis-conception implied in that - there is
nothing useful to "leverage" regarding the jenkins server at r-b.o -
it is not a build farm - it exists solely as an independent party for
the purpose of verification playing the role of the end-user
stakeholder - it is of no usefulness to parabola other than as a
public verification of parabola's commitment and competency
demonstrated by an impartial party

in other words each distro is free to implement using whichever tools
and procedures they choose - in the simplest final stages the jenkins
server at r-b.o could have nothing more than the patched pacman
exactly as will be shipped to end-users which downloads the patched
sources and prepares the expected build environment automatically
based on some prescription associated with each package

debian specifies the environment in a .BUILDINFO metadata file for
example that accompanies the sources but again, each distro can handle
that as it chooses - this declares in a functional way such constants
as the exact versions of the compiler and dependencies - (i.e.
compiler ^ dependencies ^ sources ^ env-vars -> deterministic-result)
- jenkins re-builds each package several times randomizing some
unspecified factors to verify that the build is reproducible given
only the source and the prescribed build environment expectations - it
then discards the artifacts and displays the test results on the web -
there is nothing more to it

the fuzz thrown into the pre-defined build environment includes
varying the following, none of which must ever affect the output or
else the verification will fail

date and time,
build path,
domain name,
environment variables,
user name,
user id,
group name,
group id,
kernel version,
CPU type,
number of CPU cores.

see https://reproducible-builds.org/docs/

More information about the Dev mailing list