[Rpm-maint] [rpm-software-management/rpm] Make rpm builds more reproducible (Discussion #2654)

Jan Zerebecki notifications at github.com
Tue Apr 9 15:07:32 UTC 2024


You should try to find out what too is used to build the build root for these packages and use that if you can.

In both openSUSE and Debian a buildinfo file (though with different syntax) of the the environment for the build is produced. This specifies environment variables, packages installed into the build root, etc.

That would also be a good place for the repos and command line arguments. Though Fedora, openSUSE and Debian do not use any package specific arguments and the repos are implicit. I think openSUSE lists the repo of origin for each packe installed into the build root. I think the buildinfo of openSUSE has hashes, but Debians has not. openSUSE its OBS also can produce a few other SBOM formats.

It is intentionally not part of the package binary, so that the buildinfo can be different while still producing the same bit-by-bit binary. This needs to be done at a level where the build root is created: mock or koji for Fedora, obs-build or OBS for openSUSE. Note that building a build root may also have steps that are not part of a package.

The buildinfo/SBOM is the used for a cryprographic signature over asserting that the build was reproducible with that environment.

Examples:
https://buildinfo.debian.net/d6a4da6e62bf21c9459197a4bf22d45725dc40f3/0ad_0.0.23.1-5_amd64
https://download.opensuse.org/update/leap/15.5/sle/x86_64/389-ds-2.2.8~git17.48834f1-150500.3.5.1.x86_64.slsa_provenance.json
(I don't have an openSUSE buildinfo file handy, as it is not currently published to the normal mirrors but only available via OBS API call.)

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/2654#discussioncomment-9060491
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/repo-discussions/2654/comments/9060491 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240409/1981fa35/attachment-0001.html>


More information about the Rpm-maint mailing list