[rb-general] Arch Linux Update
Jelle van der Waa
jelle at vdwaa.nl
Sun Dec 9 20:38:58 CET 2018
As Bernhard did a wonderful writeup for the rpm ecosystem ahead of the Paris
summit, we thought we should attempt the same thing. We have summarized the work
Arch Linux has done towards reproducible builds the past year(s). Hopefully it
will be somewhat interesting! Feel free to ask if there are any questions.
3. The repro tool
4. Reproducible Builds environment
Support for SOURCE_DATE_EPOCH was added to makepkg in May of 2017 . makepkg is
the tool used to create packages from PKGBUILD files. After some testing it was
later discovered that we also needed to make sure that files inside packages
need to have the correct time, as build artifacts sometimes embed the
timestamps . In May 2018 we released pacman 5.1.0 which included support for
Recording of build information in a .BUILDINFO file was added to pacman in
The intial file included:
- buildenv (makepkg configuration option which affects the build environment)
- options (options which affect packaging, removing debug symbols, staticlibs, etc.)
The initial file was expanded in 2017 with the following fields:
- format (version of buildinfo file format)
In 2018 a man page was written which describes the BUILDINFO file .
During development of tools to reproduce packages, we discovered the BUILDINFO
file was lacking the architecture information of installed packages. As Arch
Linux produces packages with different architectures, such as 'x86_64' and
'any', we had to guess the architecture of the package when fetching from our
archive. This was subsequently fixed. 
The repro tool
repro is a tool to aid in verification of Arch Linux packages. It creates a
chroot, fetches the correct PKGBUILD and installs the needed dependencies as
described by a BUILDINFO file.
The tool has the following goals:
- Easily auditable
- Distribution independent
- Do not duplicate features from other tools, like reprotest.
This helps us in making it easier for users, or other interested parties, to
audit Arch packages in the future. It is currently very much a work in progress,
however it is capable of reproducing archive packages in its current state.
Reproducible Builds environment
The continuous reproducing environment has been continuously improved by Holger and
numerous others. It now uses a database to render the HTML pages which allows
showing the reproducibility status. We have also donated some servers which
where sponsored by Private Internet Access to help reproduce packages.
As for packaging, Arch tries to be as vanilla as possible and therefore does not
patch packages specifically for reproducible builds and tries to upstream the
found issues instead. There are some issues with the actual packaging which
made packages reproducible, for example convert was used in PKGBUILDs to convert
images to a different format mostly for for desktop files. Imagemagick's
convert by default is not reproducible since it embeds dates in the converted
files, this was fixed in our PKGBUILDs. 
Another issue was found using the repro tool with our SVN propsets making it
unreproducible, the propsets are now removed from our PKGBUILDs - also due to
not being useful anymore. 
Apart from these issues, numerous 404 sources have been fixed (since Arch does
not mirror the upstream source tarballs) and fixed FTBS packages, especially for
the [core] repository.
The Arch Team.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: not available
More information about the rb-general