Mailinglist Archive: opensuse-factory (147 mails)

< Previous Next >
[opensuse-factory] verifying OBS builds
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

now that my efforts in reproducible builds for openSUSE have come
pretty far [1], I tried to reproduce the official Factory binaries.

This already found https://bugzilla.opensuse.org/show_bug.cgi?id=1100488

However, I already encountered one major difficulty. E.g. when
building zypper locally and comparing it to the official binary I get

Comparing zypper-1.14.6-1.1.x86_64.rpm to zypper-1.14.6-1.1.x86_64.rpm
comparing the rpm tags of zypper
- -libzypp 12 17.3.1
+libzypp 12 17.4.0

plus some related asm diffs.

The problem comes from 'osc meta prj openSUSE:Factory' having
<repository name="standard" rebuild="local">

[2] says, this means that when zypper was checked in 15 days ago, it
was built with the then-current libzypp-17.3.1 .
When libzypp was updated 10 days ago, zypper was not rebuilt.
But there are no libzypp-17.3.1 packages available anymore in OBS, so
reproducing the original zypper rpm from 15d ago is impossible.

What would be the downsides of a rebuild="direct" ?
Probably more Factory package rebuilds, more updated rpms shipped to
Tumbleweed users using more bandwidth. Not so desirable.

Another approach would be to keep old rpms around like with the
tumbleweed snapshots from boombatower, but using those in a local osc
build is currently hard.
And we probably will need to use the _buildenv files to find out the
exact versions used for the official build.

I could also try to have my scripts rebuild packages that were just
updated, so that differences in build dependencies are small.
But that is not so much in the spirit of reproducible builds allowing
to get identical build output at any time (and on any machine).

Are there other ways to approach this?

TIA for your input on this topic.

Ciao
Bernhard M.


[1] https://www.suse.com/c/reproducible-builds-in-opensuse-and-sle/
[2]
https://en.opensuse.org/openSUSE:Build_Service_Concept_build_scheduling_
strategies
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQRk4KvQEtfG32NHprVJNgs7HfuhZAUCW0AybQAKCRBJNgs7Hfuh
ZPvBAKC3xRUzLm6STYZwsFH7zB8hH7dB7ACgxJXxwLMODGrHjZ9lUEOIINEFkrQ=
=sF8P
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >