[rb-general] reproducible anything

Bernhard M. Wiedemann bernhardout at lsmod.de
Fri Sep 28 16:40:29 CEST 2018


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 28/09/2018 13.29, Orians, Jeremiah (DTMB) wrote:
> Can NetBSD build Debian packages with identical checksums to the
> Debian packages built on Arch, GuixSD and Debian? Can NetBSD
> programs be built on Arch, GuixSD and Debian be identical to the
> same programs built on NetBSD?

At least on the Linux side, this is perfectly possible

E.g. I just did on Debian and openSUSE:

osc checkout home:bmwiedemann:reproducible/reproducible-faketools
cd $_
osc build --keep-pkgs=RPMS
md5sum RPMS/*

and got the same outputs, i.e.
5fd8209e0fec3209b5e1a6e6cce0d32a
RPMS/reproducible-faketools-0.3.10-0.noarch.rpm

That is so, because the build process involves setting up a chroot
environment wherein the build happens.
So the only part used from the host is the kernel + tty and everything
else is the same between the two builds.
It does cause differences when `uname -a` is embedded in the binary,
though.zypper install net-tools-deprecated
With the --vm-type=kvm option, it can even run the same kernel anywhere.


https://build.opensuse.org/package/show/openSUSE:Tools/osc
https://build.opensuse.org/package/show/openSUSE:Tools/build
also have packages for Arch, CentOS, Debian, Fedora, Mageia, ...
if you want to try.


The coreboot guys fetch+build gcc+other sources on the build machine
to be able to generate the same output on different host OSes.
Not that different.
-----BEGIN PGP SIGNATURE-----

iF0EARECAB0WIQRk4KvQEtfG32NHprVJNgs7HfuhZAUCW649VwAKCRBJNgs7Hfuh
ZFd0AKDMgyVp26PIEAvbXK0tkO8goNf5vACdHICH9Lm4NH9nCI7/+2KLaUHs6oI=
=6l/n
-----END PGP SIGNATURE-----


More information about the rb-general mailing list