Mailinglist Archive: opensuse-packaging (130 mails)

< Previous Next >
Re: [opensuse-packaging] reproducible builds
  • From: "Bernhard M. Wiedemann" <bernhardout@xxxxxxxx>
  • Date: Wed, 17 Feb 2016 20:01:12 +0100
  • Message-id: <56C4C378.8030101@lsmod.de>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2015-12-11 11:43, Adam Spiers wrote:
Is anyone working on (or thinking of working on) making our build
process reproducible?

https://reproducible-builds.org/

It seems Debian and Fedora are already part of the project, and
the advantages are quite compelling, not just from a security
perspective, but also due to the potential savings in storage and
network consumption:

https://hackweek.suse.com/13/projects/131


now I had some time to look into how reproducible our builds are
and had a VM (with 4 cores) build all Leap 42.1 packages named a*

using some helper scripts, which I uploaded to
https://github.com/bmwiedemann/reproducibleopensuse

with those helpers, I just had to do
rebuildmany a*
comparemany a*

btw: the rebuild of those 217 packages took 382 minutes

of those 217 (a small subset of Leap's 7830),
build-compare reported a diff for 36 packages

and if you wonder, those are
a2ps acct aegisub aespipe allegro alpine amanda amor anjuta anthy
antlr apache-commons-cli apache-commons-codec
apache-commons-collections apache-commons-email apache-commons-io
apache-commons-lang apache-portlet-1_0-api apel appframework aqbanking
argyllcms arts asl asm3 aspell aspell-en atmel-firmware autoconf-el
autogen autoyast2 avfs avogadro avrdude awesome axis


The other thing I did was to look how common the use of the better
SOURCE_DATE_EPOCH is.
For that I used
find openSUSE\:Factory/ -name \*.gz -o -name \*.xz -o -name \*.bz2 |\
grep -v "\.osc" | xargs zgrep -l SOURCE_DATE_EPOCH

to find that SOURCE_DATE_EPOCH is already used in
doxygen
deja-dup
help2man
u-boot


another thing I found is that when you use
osc getbinaries
you get a file named _buildenv and that contains unique IDs of all
packages used for building this, so it should be possible to archive
and later fetch the exact versions of everything needed.


Ciao
Bernhard M.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlbEw3IACgkQSTYLOx37oWQycQCgwiuCeD34UFMSyHaC8kr5pmnk
FGwAn0yyO0H+vAch4er3jtU+1XQLJeMQ
=uCT4
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >