[Rpm-ecosystem] Reproducible Builds

Nicolas Vigier boklm at mars-attacks.org
Fri Mar 4 23:08:15 UTC 2016


On Tue, 01 Mar 2016, Florian Festi wrote:

> 
> So I want to focus the different pieces of work on rpm(build) here. So
> far I found:
> 
>  * The SOURCE_DATE_EPOCH patch mentioned above [1]
>   * Still unfinished patch for file timestamps mentioned there
>  * Setting buildhost [3]
>  * See mail above wrt deterministic archives
> 
> I am pretty sure there are still pieces missing.

There might be more pieces later, but this looks like a good start.
With those patches, when trying on a simple package, I have been able
to rebuild it twice and get exactly the same package.

> 
> So, my questions are: Who is actually working on reproducible builds?

Dhiru Kholia started some work on reproducible builds for Fedora:
https://github.com/kholia/ReproducibleBuilds

Holger Levsen setup some reproducibility tests for Fedora:
https://tests.reproducible-builds.org/rpms/fedora-23.html
(for the moment nothing is reproducible because the rpmbuild used does
not have the SOURCE_DATE_EPOCH and buildhost patches yet, adding those
patches should hopefully allow some packages to be fully reproducible)

And I helped with some rpm patches to try to fix the most obvious issues.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.rpm.org/pipermail/rpm-ecosystem/attachments/20160305/46c199af/attachment.asc>


More information about the Rpm-ecosystem mailing list