[Rpm-ecosystem] Reproducible Builds

Nicolas Vigier boklm at mars-attacks.org
Wed Mar 2 12:31:54 UTC 2016


On Wed, 02 Mar 2016, Michael Schroeder wrote:

> On Tue, Mar 01, 2016 at 04:59:02PM +0100, Florian Festi wrote:
> > I am pretty sure there are still pieces missing.
> > 
> > So, my questions are: Who is actually working on reproducible builds?
> > What else is missing? Are there any special needs for some build systems?
> 
> Dunno if I want to have the buildhost and the buildtime patched, this
> is important information to know. The question is what's the goal
> of reproducible builds, do you just want the same payload or should
> the header also be the same? How about the signature, it contains
> the current time as well.

The buildhost and buildtime would be patched only if the option to do it
is selected (the SOURCE_DATE_EPOCH environment variable for the build
time, a macro for the build host). If this is important information for
you, then you can keep the default configuration. In the case of
reproducible builds we don't want this information to be included in
the rpm files because this makes the build differ depending on time and
hostname.

The main goal of reproducible builds is to make it possible for multiple
people on different computers to build the same source package and get
the exact same binary package, making sure a package has been built from
the sources it's supposed to, and that the build environment was not
compromised. As a result, if someone comes to the house or office of
the owner of the signing key to force them to sign a package, it's
easier to refuse when they can say that it will immediately be noticed
because various people verify the builds.

You can read more about the goals here:
https://reproducible-builds.org/docs/buy-in/
https://reproducible-builds.org/events/athens2015/use-cases/

You are right about the signature, it will be a problem too. There
can be different solutions:
 - use detached signatures instead of embedded signatures
 - when trying to reproduce a package, reapply the signature from the
   package you're trying to reproduce to the package you've built
 - strip the signature from the package when you want to compare it

Nicolas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.rpm.org/pipermail/rpm-ecosystem/attachments/20160302/dfe7cb55/attachment.asc>


More information about the Rpm-ecosystem mailing list