[Rpm-maint] [rpm-software-management/rpm] Make rpm builds more reproducible (Discussion #2654)

Panu Matilainen notifications at github.com
Tue Sep 12 07:56:03 UTC 2023


Just a quick note here, as @keszybz already noted, there's reproducability and there's reproducability, and amusingly enough the two are often in direct conflict. To make it possible to talk about these, lets call this variant traceability instead.

One recent enhancement (in rpm >= 4.18) is that we now store the parsed spec in the src.rpm, so you can actually see how it was built. Because, increasingly specs consist of complex higher level macros that expand to who knows what, and without having the end-result to compare with, you'll haven't got the slightest clue whether your build will result in anything remotely resembling the "original". While that isn't exactly the same as your request of recording macro values at build, it kinda achieves that in a different manner.
Ironically that feature causes all sorts of reproducability problems where the spec can parse subtly differently (due to things like local tmp paths or cpu counts ending up in the parsed spec) thus causing different checksums on the src.rpm. So a feature aimed at reproducability (and traceability) is directly conflicting with, yes, reproducability. 

As for recording the packages in the build environment, that has similar problems but worse: we have no idea which of the installed packages are related to the build at all. Recording the installed set can be extremely useful info when troubleshooting etc, but it also inevitably records a whole lot of irrelevant "static" like kernel version of the day which is not supposed to be relevant for the average package in any way. And, the package NEVRs would shatter reproducability even if the *actual product* was bit-per bit identical.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/2654#discussioncomment-6975897
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/repo-discussions/2654/comments/6975897 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230912/122f520c/attachment.html>


More information about the Rpm-maint mailing list