[rb-general] Status of Reproducible Builds on NetBSD

[Pierre Pronchery]

			Hi everyone,

On 18/10/2017 15:08, Holger Levsen wrote:
> On Fri, Oct 13, 2017 at 12:42:11PM +0200, Pierre Pronchery wrote:
>> Since the conference last year I have integrated the board of directors of
>> the NetBSD Foundation, and I will be glad to be a presence for the NetBSD
>> project at the RB summit again! A lot of progress has been made both for the
>> base system and for the packages, and I will be glad to share this with the
>> RB community.
>
> thanks for these exciting updates! very cool to see all the progress!
>
>> - https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_builds
>
> says the status is that you're having fully reproducible builds for amd64 and
> sparce64, which is very cool, just that you're "only" referring to the base
> system, right?

That is correct, this is only about the base system.

> What's the status on indiviual packages or ports (as you call them, iirc)?

Our packages come from the pkgsrc project, which is also managed by the 
NetBSD Foundation. There is no knob there at the moment to force the 
generation of reproducible packages, however a significant part of the 
underlying work has been done (handling CFLAGS and LDFLAGS across every 
package based on C/C++).

On a related note, unfortunately we do not officially support 
cross-compilation yet, even though there has been progress there too:
https://www.netbsd.org/gallery/presentations/riastradh/asiabsdcon2015/pkgsrc-cross-paper.pdf
https://netbsd.org/gallery/presentations/riastradh/asiabsdcon2015/pkgsrc-cross.pdf

...but we have two ways of wrapping the compiler and linker, where we 
can influence the behaviour of both compiler and linker without the 
underlying package actually supporting changes to the CFLAGS or LDFLAGS.

> And more general: does NetBSD distribute binary builds? (Of what?)

We do generate and provide binary builds, for both the base system and 
for packages.

The official binaries for the base system are generally fine for 
everyone. I haven't used them in a long time myself, because I wanted 
PIE (for full ASLR) and REPRO. This is one of the reasons I started the 
EdgeBSD project, which is primarily about working on NetBSD with Git 
instead of CVS (https://www.edgebsd.org/).

About packages now, I would say that many users still prefer to build 
their own. My opinion is that the default options are not really 
suitable for desktop use (no CUPS support for Gtk+ by default for 
instance) nor for servers (SSL/TLS disabled by default in random 
places). I keep trying to push for changes in this direction when I find 
the time and energy.

HTH,
-- 
khorben