Reproducible Builds Verification Format

Arnout Engelen arnout at bzzt.net
Wed May 13 07:39:40 UTC 2020 

On Tue, May 12, 2020 at 11:00 PM Paul Spooren <mail at aparcar.org> wrote:

> The *rebuilders* try to recreate offered binaries following the
> upstream build process as close as necessary.
>
> To make the results accessible, store-able and create tools around them,
> they
> should all follow the same schema, hello *reproducible builds verification
> format* (rbvf).
>
> Rebuilders should publish those files publicly and sign them. Tools then
> collect
> those files and process them for users and developers.
>

This seems useful, though I think it is helpful to describe the
relationship between
the 'buildinfo' and such a 'rebuild result'.

It is already common practice for a reproducible build to record a
'buildinfo' with
information about how/where/etc the build was created (e.g.
https://reproducible-builds.org/docs/recording/).
A nice property of such a buildinfo is that it can be created just from the
sources and dependencies, without needing access to any 'previous builds'
of the same artifacts - so the process is the same for 'initial builders'
and
rebuilders.

I think rebuilders should definitely sign and share the buildinfo's produced
by their (re)builds of the artifacts. On top of that, I agree it'd be
helpful to
collect buildinfo's, compare them, and publish a 'reproduction report' in a
uniform way such as how you describe.

The format is just a draft, please join in and share you thoughts. I'm
> happy to
> extend, explain and discuss all the details. Please find it here[0].
>

You now describe the 'artifacts' field to only be present when the rebuild
failed.
Perhaps it would make sense to always include it (though
perhaps not always populate all fields), to make it more explicit what
exactly
has been compared?

Also, I think one build can result in multiple buildinfo's, and each
buildinfo
might in turn cover multiple output files. Perhaps the 'artifacts' field
could
be layered to reflect that structure?


> As a proof of concept, there is already a *collector* which compares
> upstream
> provided packages of Archlinux and OpenWrt with the results of rebuilders.
> Please see the frontend here[1].
>
> If you already perform any rebuilds of your project, please contacy me on
> how to
> integrate the results in the collector!
>

Cool!


Arnout
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20200513/fa7781cd/attachment.htm>

More information about the rb-general mailing list