Reproducible Builds Verification Format

Arnout Engelen arnout at bzzt.net
Thu May 14 12:18:38 UTC 2020 

On Thu, May 14, 2020 at 1:55 PM Morten Linderud <foxboron at archlinux.org>
wrote:

> On Thu, May 14, 2020 at 01:39:57PM +0200, Arnout Engelen wrote:
> > I don't think the buildinfo of the initial build should be a required
> input
> > for a rebuilder.
> >
> > Now of course I know in practice it can be logistically convenient to
> use the
> > buildinfo from the initial build as input for the rebuilder. I'm not
> saying we
> > should forbid this. But I think we should design our standards / file
> formats
> > in such a way that we do not *require* rebuilders to have access to
> > information from the initial build. For example, triggering a 'rebuild'
> > whenever a new version is tagged in source control could in some cases
> be a
> > valid approach as well.
>
> This is an implementation detail, isn't it? A buildinfo wouldn't be
> required if
> you are in an environment where the build environment doesn't change. But
> in
> many cases, this isn't the case. Dependencies we pulled could have new
> versions
> which could very well interfer with the build. And if we don't have the
> buildinfo file at hand, how would we know what introduced the change?
>

I think we are in agreement: I was trying to explain why I think rebuilders
should publish their resulting buildinfo, and while adding the rbvf concept
proposed above can be useful, it should be shared along with the buildinfo,
rather than instead of it.

I'm unsure if you are proposing a rebuild, or argueing for multiple seperate
> builds of the same package at the same point in time. The latter is beside
> the
> goal of a rebuilder currently and would in any case be a CI/CD feature of
> the
> given distribution.
>

I'm not proposing any changes/rebuilds of existing infrastructure.

I'm mainly arguing that if we introduce a new concept/file format (the rbvf
proposed above), we should be careful it won't prevent us from doing
useful things (like indeed running multiple separate builds of the same
package at the same time, or running a 'rebuild' without access to the
buildinfo from the original build) in the future.


Arnout
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20200514/f7c372ca/attachment.htm>

More information about the rb-general mailing list