[rb-general] Yocto Project interest in reproducible builds

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Nov 15 23:16:08 CET 2016

Hi Richard--

On Tue 2016-11-15 20:30:36 +0900, Richard Purdie wrote:

> The Yocto Project has a strong interest in reproducible builds, its
> something we've been working on for a while but obviously there is
> much work remaining.

This is great to hear!  Thanks for reaching out to the rest of the
reproducible builds community!

> Some issues we have are more specialised to our use cases, such as
> paths injected during cross compilation.

Pretty much every group that's participating has some special cases, but
we share a lot more than we differ.  For example, Debian has a group of
people working on cross-building as well (as part of a bootstrapping
project), and we'd really like the cross-builds to produce the same
binary artifacts as the native builds.

So please don't shy away from bringing up concerns that you think might
be specific to your project.  in some cases, you'll find others already
interested in (and working on) your concerns, and in other cases, you
might be turning over a stone that nobody else has and we'll all learn
From (and benefit from) it.

> I'm not sure how to collaborate, our policy is where we have patches,
> to get them upstream if we can and that obviously helps everyone.

This is exactly the right posture to take.  If you have patches for
reproducibility that are pending upstream adoption, please mention them
to the list here.  If you find yourself not getting as much traction
with upstream as you like, sometimes it helps to have allies make it
clear that it's not only one project who wants to see the improvements.

> I would be happy to have the Yocto Project listed as supporting
> reproducible builds

The website https://reproducible-builds.org/ is managed by a git repo:

    git clone https://anonscm.debian.org/git/reproducible/reproducible-website.git

You might want to add yocto to _data/projects.yml (and a logo to
images/logos/ if you've got one).  If you apply for an account on alioth
[0] someone can probably give you commit access.  or if you publish your
changes to some other git repo and just send mail to this list asking
for a merge, we'll merge it in.

Feel free to propose other edits as well.



[0] https://alioth.debian.org/account/register.php
