Mailinglist Archive: opensuse-packaging (106 mails)

< Previous Next >
Re: [opensuse-packaging] reproducible builds

Hello Ludwig,

I think your great explanation about the SUSE and openSUSE
build process should be made obvious for everybody out there.

Perhaps it could be placed on some of our web front pages
at least on
https://build.opensuse.org/
and then linked on other web front pages like
https://en.opensuse.org/Main_Page

I would be a shame if not everybody out there knows about
what On Dec 16 11:18 Ludwig Nussel wrote:

... SUSE and openSUSE distributions
have always had reproducible builds, for something like 20 years now.
Reproducible in the sense that a packager never builds binaries on his
own system in some magic way and then uploads binaries.

We always build sources server side (nowadays OBS, previously
autobuild). How the build environment has to look like is defined via
BuildRequires in the spec file and settings in the project config on
server side. Moreover, we don't allow packagers to directly build
packages in the distribution's project. There's always a review step
(four eyes principle). Some distributions don't have that and only have
reviews when a package is accepted for the first time.

OBS always re-creates the build environment from scratch for each
package and automatically uses other packages in the same project to set
up that build environment. Ie there's no magic base build system, the
distribution bootstraps itself. Not only on request or mass rebuilds but
fully automatic. So even packages that haven't been submitted for
years are rebuilt with current compilers and libraries. Additionally
every binary rpm produced by obs contains a back reference to the
used sources (in the disturl).

IOW our process and infrastructure guarantees that our packages can
reproducibly be built from source. Everyone can reproduce that by
firing up their own build service and linking to OBS. In that sense
_our build process is reproducible_ and has always been. The terrifying
news here is that other distributions still have to do homework to
even get there.


Kind Regards
Johannes Meixner
--
SUSE LINUX GmbH - GF: Felix Imendoerffer, Jane Smithard,
Graham Norton - HRB 21284 (AG Nuernberg)

--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-packaging+owner@xxxxxxxxxxxx

< Previous Next >