Mailinglist Archive: opensuse-factory (244 mails)

< Previous Next >
[opensuse-factory] verifying OBS builds
Hash: SHA1


now that my efforts in reproducible builds for openSUSE have come
pretty far [1], I tried to reproduce the official Factory binaries.

This already found

However, I already encountered one major difficulty. E.g. when
building zypper locally and comparing it to the official binary I get

Comparing zypper-1.14.6-1.1.x86_64.rpm to zypper-1.14.6-1.1.x86_64.rpm
comparing the rpm tags of zypper
- -libzypp 12 17.3.1
+libzypp 12 17.4.0

plus some related asm diffs.

The problem comes from 'osc meta prj openSUSE:Factory' having
<repository name="standard" rebuild="local">

[2] says, this means that when zypper was checked in 15 days ago, it
was built with the then-current libzypp-17.3.1 .
When libzypp was updated 10 days ago, zypper was not rebuilt.
But there are no libzypp-17.3.1 packages available anymore in OBS, so
reproducing the original zypper rpm from 15d ago is impossible.

What would be the downsides of a rebuild="direct" ?
Probably more Factory package rebuilds, more updated rpms shipped to
Tumbleweed users using more bandwidth. Not so desirable.

Another approach would be to keep old rpms around like with the
tumbleweed snapshots from boombatower, but using those in a local osc
build is currently hard.
And we probably will need to use the _buildenv files to find out the
exact versions used for the official build.

I could also try to have my scripts rebuild packages that were just
updated, so that differences in build dependencies are small.
But that is not so much in the spirit of reproducible builds allowing
to get identical build output at any time (and on any machine).

Are there other ways to approach this?

TIA for your input on this topic.

Bernhard M.


To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >