Mailinglist Archive: opensuse-factory (435 mails)

< Previous Next >
[opensuse-factory] openSUSE Leap 15.2 reproducible builds verification
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


For openSUSE:Leap:15.2
12235 package verification builds were done,
of those, 796 failed initial verification with build-compare [1].

I did local double-builds of these 796 and found that unfortunately
only 346 of them could produce the same build results twice.

Of these 346,
15 were kmps that suffered from an issue with our OBS pesign integration.
91 became reproducible when building with the older
linux-glibc-devel-4.15 that was used for building the official binaries.

That left 239 verifiable packages that could not be automatically
verified with the published 15.2 GM binaries.
At least 18 contained a previous kernel version string
because we usually don't do automatic rebuilds for kernel updates.
Also, full rebuilds were disabled during the last stage of 15.2
development.
For future Leap release verifications I probably need to keep old
binaries around as I already do for Factory.


https://rb.zq1.de/leap/15.2/ has more data around this for further
inspection or automatic processing.
https://rb.zq1.de/leap/15.2/reproducible-verification2.json
has info on the 801 most interesting packages.


[1] background reading for why verification does not give
bit-identical results (yet):
https://www.suse.com/c/extending-trust-in-our-binaries-no-backdoors-have-been-found/
-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQTykslvYmKwlIQesLNdovN53d8CLgUCXxraMwAKCRBdovN53d8C
Li9uAP90tA+4OoPmVOXMFZ+MkTGu1g6FHhW0n8pL6IdGjqLZwQEAv9uEB1BOMRNO
T0VceqamRsWCZNHP032KVIOHGBvbYQA=
=3/3C
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages