[rb-general] reproducible anything

Orians, Jeremiah (DTMB) OriansJ at michigan.gov
Fri Sep 28 15:29:16 CEST 2018

> We recently discussed about how to have different flavours of tar produce the same output (somewhat hard)
But possible now that reproducible builds is gaining support

> There are also two other issues related to reproducible builds that so far did not get much attention.
> It is because those seem to be not much about building, but more about producing any output.
Well we hit upon them back when some man pages were not reproducible and dumb crypto bits were involved.
It just we didn't have people to go pursue that class of problems because they seemed so huge;
Think of the sheer number of weird determinism bugs that exist in the Debian repo and possibly exist in the apt tool chain itself.

I believe the wisest strategy is to go after classes of tools as we need them to further determinism in our processes.
Aka, get as many tars as possible to a core standard and repeat for other producers essential in the order of frequency (if zip is more popular than png, get those standardized first).

>Both together mean that any tool that produces any output that somehow ends up in our images or noarch-packages, needs to do so in a more reproducible way than I previously >thought.

Long game we probably need to practice what we preach and cross-building needs to be something we all seriously consider as essential.
Can NetBSD build Debian packages with identical checksums to the Debian packages built on Arch, GuixSD and Debian?
Can NetBSD programs be built on Arch, GuixSD and Debian be identical to the same programs built on NetBSD?

What are your thoughts?

-Jeremiah Orians

More information about the rb-general mailing list