-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2015-12-11 11:43, Adam Spiers wrote:
Is anyone working on (or thinking of working on) making our build process reproducible?
It seems Debian and Fedora are already part of the project, and the advantages are quite compelling, not just from a security perspective, but also due to the potential savings in storage and network consumption:
now I had some time to look into how reproducible our builds are and had a VM (with 4 cores) build all Leap 42.1 packages named a*
using some helper scripts, which I uploaded to https://github.com/bmwiedemann/reproducibleopensuse
with those helpers, I just had to do rebuildmany a* comparemany a*
btw: the rebuild of those 217 packages took 382 minutes
of those 217 (a small subset of Leap's 7830), build-compare reported a diff for 36 packages
and if you wonder, those are a2ps acct aegisub aespipe allegro alpine amanda amor anjuta anthy antlr apache-commons-cli apache-commons-codec apache-commons-collections apache-commons-email apache-commons-io apache-commons-lang apache-portlet-1_0-api apel appframework aqbanking argyllcms arts asl asm3 aspell aspell-en atmel-firmware autoconf-el autogen autoyast2 avfs avogadro avrdude awesome axis
The other thing I did was to look how common the use of the better SOURCE_DATE_EPOCH is. For that I used find openSUSE:Factory/ -name *.gz -o -name *.xz -o -name *.bz2 |\ grep -v ".osc" | xargs zgrep -l SOURCE_DATE_EPOCH
to find that SOURCE_DATE_EPOCH is already used in doxygen deja-dup help2man u-boot
another thing I found is that when you use osc getbinaries you get a file named _buildenv and that contains unique IDs of all packages used for building this, so it should be possible to archive and later fetch the exact versions of everything needed.
Ciao Bernhard M.