Mailinglist Archive: opensuse-packaging (106 mails)

< Previous Next >
Re: [opensuse-packaging] reproducible builds
On Wed, 16 Dec 2015, Ludwig Nussel wrote:

Michael Matz wrote:
On Fri, 11 Dec 2015, Adam Spiers wrote:

Is anyone working on (or thinking of working on) making our build
process reproducible?

https://reproducible-builds.org/

We have that since about forever as far as easily possible. The hard part
is changing packages to not depend on things like build time (e.g.
encoding build date/time into strings into executables). That's not
something you can do generally in a build system, but must be changed in
each and every individual package.

It's probably worth to explain the difference between our reproducible
builds and this new interpretation. SUSE and openSUSE distributions
have always had reproducible builds, for something like 20 years now.
Reproducible in the sense that a packager never builds binaries on his
own system in some magic way and then uploads binaries.

We always build sources server side (nowadays OBS, previously
autobuild). How the build environment has to look like is defined via
BuildRequires in the spec file and settings in the project config on
server side. Moreover, we don't allow packagers to directly build
packages in the distribution's project. There's always a review step
(four eyes principle). Some distributions don't have that and only have
reviews when a package is accepted for the first time.

OBS always re-creates the build environment from scratch for each
package and automatically uses other packages in the same project to set
up that build environment. Ie there's no magic base build system, the
distribution bootstraps itself. Not only on request or mass rebuilds but
fully automatic. So even packages that haven't been submitted for
years are rebuilt with current compilers and libraries. Additionally
every binary rpm produced by obs contains a back reference to the
used sources (in the disturl).

IOW our process and infrastructure guarantees that our packages can
reproducibly be built from source. Everyone can reproduce that by
firing up their own build service and linking to OBS. In that sense
_our build process is reproducible_ and has always been. The terrifying
news here is that other distributions still have to do homework to
even get there.

Well, I don't see how you can "easily" reproduce a build of an
"old" version of a package without re-bootstrapping the whole
old state of the repository to build against. I understand that
we eventually have enough information in the package to actually
re-create that repository "soruce" state and we keep old sources
around but not binaries.

Not sure if reproducible-builds.org intends to make that any easier
than what we have though.

Richard.

--
Richard Biener <rguenther@xxxxxxx>
SUSE LINUX GmbH, GF: Felix Imendoerffer, Jane Smithard, Graham Norton, HRB
21284 (AG Nuernberg)
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups