[Rpm-ecosystem] Reproducible Builds

Neal Gompa ngompa13 at gmail.com
Tue Mar 1 16:18:42 UTC 2016


One important aspect that would make reproducible builds more
trustworthy in the RPM world would be some capability to indicate
checksums for sources and patches so that rpmbuild can verify them.
Debian already does this in the Debian Source Control (dsc) file, as
seen by this example[1]. Without some way to introduce build-time
verification of sources independent of a build system, it'd be hard to
reliably test in a simple manner that the inputs are what you expect
them to be. This is really more important during the srpm creation
stage, as that's when the archives and patches are bundled into a
unified source archive that can be used by anything (including mock)
to build packages.

[1]: http://debian.csail.mit.edu/debian/pool/main/r/rpm/rpm_4.12.0.1+dfsg1-3.dsc

On Tue, Mar 1, 2016 at 10:59 AM, Florian Festi <ffesti at redhat.com> wrote:
> Hi!
>
> There are several RFEs and patches popping up that revolve around
> reproducible builds. Some may have noticed the recent patch adding the
> first pieces for supporting SOURCE_DATE_EPOCH[1].
>
> From the looks of it there is a quite active group within Debian working
> on the topic[2] but this topic clearly transcends single distributions.
>
> When it comes to scope it is clear that rpm cannot tackle the issue
> alone as reproducible build require changes on all kind of levels: build
> systems, build tools, implementation details but also package managers
> or to be more precise package build tools like rpmbuild. Still there are
> some things we can do to help.
>
> So I want to focus the different pieces of work on rpm(build) here. So
> far I found:
>
>  * The SOURCE_DATE_EPOCH patch mentioned above [1]
>   * Still unfinished patch for file timestamps mentioned there
>  * Setting buildhost [3]
>  * See mail above wrt deterministic archives
>
> I am pretty sure there are still pieces missing.
>
> So, my questions are: Who is actually working on reproducible builds?
> What else is missing? Are there any special needs for some build systems?
>
> Florian
>
> [1]
> https://github.com/rpm-software-management/rpm/commit/b8a54d6a1e9bb6140b6b47e23dc707e4b967537e
>     https://bugzilla.redhat.com/show_bug.cgi?id=1288713
> [2] https://reproducible-builds.org/
> [3] https://bugzilla.redhat.com/show_bug.cgi?id=1309367
>
> --
>
> Red Hat GmbH, http://www.de.redhat.com/ Registered seat: Grasbrunn,
> Commercial register: Amtsgericht Muenchen, HRB 153243,
> Managing Directors: Charles Cachera, Michael Cunningham, Michael
> O'Neill, Charles Peters
> _______________________________________________
> Rpm-ecosystem mailing list
> Rpm-ecosystem at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-ecosystem



-- 
真実はいつも一つ!/ Always, there's only one truth!


More information about the Rpm-ecosystem mailing list