On Wed, 16 Dec 2015, Ludwig Nussel wrote:
Michael Matz wrote:
On Fri, 11 Dec 2015, Adam Spiers wrote:
Is anyone working on (or thinking of working on) making our build process reproducible?
We have that since about forever as far as easily possible. The hard part is changing packages to not depend on things like build time (e.g. encoding build date/time into strings into executables). That's not something you can do generally in a build system, but must be changed in each and every individual package.
It's probably worth to explain the difference between our reproducible builds and this new interpretation. SUSE and openSUSE distributions have always had reproducible builds, for something like 20 years now. Reproducible in the sense that a packager never builds binaries on his own system in some magic way and then uploads binaries.
We always build sources server side (nowadays OBS, previously autobuild). How the build environment has to look like is defined via BuildRequires in the spec file and settings in the project config on server side. Moreover, we don't allow packagers to directly build packages in the distribution's project. There's always a review step (four eyes principle). Some distributions don't have that and only have reviews when a package is accepted for the first time.
OBS always re-creates the build environment from scratch for each package and automatically uses other packages in the same project to set up that build environment. Ie there's no magic base build system, the distribution bootstraps itself. Not only on request or mass rebuilds but fully automatic. So even packages that haven't been submitted for years are rebuilt with current compilers and libraries. Additionally every binary rpm produced by obs contains a back reference to the used sources (in the disturl).
IOW our process and infrastructure guarantees that our packages can reproducibly be built from source. Everyone can reproduce that by firing up their own build service and linking to OBS. In that sense _our build process is reproducible_ and has always been. The terrifying news here is that other distributions still have to do homework to even get there.
Well, I don't see how you can "easily" reproduce a build of an "old" version of a package without re-bootstrapping the whole old state of the repository to build against. I understand that we eventually have enough information in the package to actually re-create that repository "soruce" state and we keep old sources around but not binaries.
Not sure if reproducible-builds.org intends to make that any easier than what we have though.