Mailinglist Archive: opensuse-factory (244 mails)

< Previous Next >
Re: [opensuse-factory] verifying OBS builds
On 2018-07-07 05:24, Bernhard M. Wiedemann wrote:
now that my efforts in reproducible builds for openSUSE have come
pretty far [1], I tried to reproduce the official Factory binaries.

However, I already encountered one major difficulty.

The problem comes from 'osc meta prj openSUSE:Factory' having
<repository name="standard" rebuild="local">

[...]

Are there other ways to approach this?

I went for another way, that is testing official openSUSE Leap 15.0
binary builds and found that only 403 / 11520 local builds
had significant differences (via build-compare).
Those bad packages are listed in
http://rb.zq1.de/leap/15.0/build-compare-differed-builds-nachbau.txt

Most of them were already known to not build reproducibly.
I reviewed the remaining ones which found several bugs
https://bugzilla.opensuse.org/show_bug.cgi?id=1100488
https://bugzilla.opensuse.org/show_bug.cgi?id=1100520
https://bugzilla.opensuse.org/show_bug.cgi?id=1100677
https://bugzilla.opensuse.org/show_bug.cgi?id=1101262

Then I also had many unsubmitted patches. Some of them were stuck
upstream for a year. Many of those are now SRed and linked in
https://reproducible-builds.org/blog/posts/168/


The remaining list of diffs that I did not fully understand contains

binutils
gd (20 bytes at offset 645 in ELF)
grabpng (dito)
kdoctools (some man/translations diff with 'meinproc5')
openssh (.hmac differed - probably from build-id)
perl-Wx
piglit (probably output depending on CPU-type)
python-pyside
rustfmt
strongswan (.hmac differed - probably from build-id)

Of course any of the known-bad monster packages like openjdk,
libreoffice or firefox can contain more issues. Alas, those issues are
hard to see within the mess.


So far, I have not found any traces of backdoors inserted into binaries
during the OBS build process.
And that is good news.

Ciao
Bernhard M.

< Previous Next >