On 2018-07-07 05:24, Bernhard M. Wiedemann wrote:
now that my efforts in reproducible builds for openSUSE have come pretty far [1], I tried to reproduce the official Factory binaries.
However, I already encountered one major difficulty.
The problem comes from 'osc meta prj openSUSE:Factory' having <repository name="standard" rebuild="local">
[...]
Are there other ways to approach this?
I went for another way, that is testing official openSUSE Leap 15.0 binary builds and found that only 403 / 11520 local builds had significant differences (via build-compare). Those bad packages are listed in http://rb.zq1.de/leap/15.0/build-compare-differed-builds-nachbau.txt Most of them were already known to not build reproducibly. I reviewed the remaining ones which found several bugs https://bugzilla.opensuse.org/show_bug.cgi?id=1100488 https://bugzilla.opensuse.org/show_bug.cgi?id=1100520 https://bugzilla.opensuse.org/show_bug.cgi?id=1100677 https://bugzilla.opensuse.org/show_bug.cgi?id=1101262 Then I also had many unsubmitted patches. Some of them were stuck upstream for a year. Many of those are now SRed and linked in https://reproducible-builds.org/blog/posts/168/ The remaining list of diffs that I did not fully understand contains binutils gd (20 bytes at offset 645 in ELF) grabpng (dito) kdoctools (some man/translations diff with 'meinproc5') openssh (.hmac differed - probably from build-id) perl-Wx piglit (probably output depending on CPU-type) python-pyside rustfmt strongswan (.hmac differed - probably from build-id) Of course any of the known-bad monster packages like openjdk, libreoffice or firefox can contain more issues. Alas, those issues are hard to see within the mess. So far, I have not found any traces of backdoors inserted into binaries during the OBS build process. And that is good news. Ciao Bernhard M.