Mailinglist Archive: opensuse-factory (244 mails)

< Previous Next >
Re: [opensuse-factory] verifying OBS builds
On 2018-07-07 05:24, Bernhard M. Wiedemann wrote:
now that my efforts in reproducible builds for openSUSE have come
pretty far [1], I tried to reproduce the official Factory binaries.

However, I already encountered one major difficulty.

The problem comes from 'osc meta prj openSUSE:Factory' having
<repository name="standard" rebuild="local">


Are there other ways to approach this?

I went for another way, that is testing official openSUSE Leap 15.0
binary builds and found that only 403 / 11520 local builds
had significant differences (via build-compare).
Those bad packages are listed in

Most of them were already known to not build reproducibly.
I reviewed the remaining ones which found several bugs

Then I also had many unsubmitted patches. Some of them were stuck
upstream for a year. Many of those are now SRed and linked in

The remaining list of diffs that I did not fully understand contains

gd (20 bytes at offset 645 in ELF)
grabpng (dito)
kdoctools (some man/translations diff with 'meinproc5')
openssh (.hmac differed - probably from build-id)
piglit (probably output depending on CPU-type)
strongswan (.hmac differed - probably from build-id)

Of course any of the known-bad monster packages like openjdk,
libreoffice or firefox can contain more issues. Alas, those issues are
hard to see within the mess.

So far, I have not found any traces of backdoors inserted into binaries
during the OBS build process.
And that is good news.

Bernhard M.

< Previous Next >