[rb-general] openSUSE reproducibility (Re: Core Debian reproducibility: how close?
Bernhard M. Wiedemann
bernhardout at lsmod.de
Wed Mar 6 16:06:16 CET 2019
On 04/03/2019 20.11, Holger Levsen wrote:
>
> what's the difference between bit-by-bit-identical and
> verified-semi-reproducible and verified-bit-identical?
bit-by-bit-identical is when I use my 'rbk' script [1] to build a
package locally twice, with some variations applied that will also occur
in practice:
hostnamea vs hostnameb
-j1 vs -j4 (also varies actual number of KVM CPUs)
$today vs $today+15.1 years
-cpu=host vs -cpu=qemu64
and I still get the same result twice.
This is comparable to results on tests.r-b.o for Debian, though the -j1
and cpu=qemu64 found some extra issues and then I miss other issues that
are not so relevant to us.
verified-* is where I run my 'nachbau' script to fetch the official
build, do one local build that uses some details from the official build
(rebuild counter, disturl, hostname) and compare them with cmp and
build-compare. No extra variations are applied here. Natural variations
are bad enough ;-)
verified-bit-identical results are when then cmp returns 0 - this
currently only succeeds with projects like
https://build.opensuse.org/project/prjconf/Application:ERP:GNUHealth:3.4
that do official builds with the required rpm macros set.
Without these macros, mtimes of files are not normalized. This is
because that had some negative effects on python .pyc files.
Build Date and Build Host rpm headers would be less risky to normalize,
but some people still like to have these and also there is no advantage
in normalizing them as long as mtimes vary.
verified-semi-reproducible is when build-compare returns 0, so the
different packages should be equivalent.
https://lists.reproducible-builds.org/pipermail/rb-general/2018-December/001301.html
has details on build-compare
This number also suffers from the fact that (for openSUSE:Factory aka
Tumbleweed) similar to Debian some of our binary packages remain old and
a full rebuild only occurs 1-2 times a year. And then we do not keep an
archive of old binaries, so I do my rebuilds with new libs that will
cause diffs to official builds that used an old lib.
This is better for our stable releases though, because they do full
rebuilds.
[1] https://github.com/bmwiedemann/reproducibleopensuse
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190306/4906a31d/attachment.sig>
More information about the rb-general
mailing list