-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 For openSUSE:Leap:15.2 12235 package verification builds were done, of those, 796 failed initial verification with build-compare [1]. I did local double-builds of these 796 and found that unfortunately only 346 of them could produce the same build results twice. Of these 346, 15 were kmps that suffered from an issue with our OBS pesign integration. 91 became reproducible when building with the older linux-glibc-devel-4.15 that was used for building the official binaries. That left 239 verifiable packages that could not be automatically verified with the published 15.2 GM binaries. At least 18 contained a previous kernel version string because we usually don't do automatic rebuilds for kernel updates. Also, full rebuilds were disabled during the last stage of 15.2 development. For future Leap release verifications I probably need to keep old binaries around as I already do for Factory. https://rb.zq1.de/leap/15.2/ has more data around this for further inspection or automatic processing. https://rb.zq1.de/leap/15.2/reproducible-verification2.json has info on the 801 most interesting packages. [1] background reading for why verification does not give bit-identical results (yet): https://www.suse.com/c/extending-trust-in-our-binaries-no-backdoors-have-bee... -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQTykslvYmKwlIQesLNdovN53d8CLgUCXxraMwAKCRBdovN53d8C Li9uAP90tA+4OoPmVOXMFZ+MkTGu1g6FHhW0n8pL6IdGjqLZwQEAv9uEB1BOMRNO T0VceqamRsWCZNHP032KVIOHGBvbYQA= =3/3C -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org