Making reproducible builds & GitBOM work together without gitBOM-ID embedding

[Yongkui Han]

Hi Chris,

>>>

Do you have any plans to integrate generation into the default Debian

package build pipeline? Perhaps that is not possible though, as it

would require the overhead and complexity of the tracing framework.



I don’t have the plan to integrate for now, since the tool still needs to
change from gitBOM name to OmniBOR.

But it should not be hard to integrate Bomsh into the Debian package build
pipeline: strace should be available in the Debian build environment, and
the main change is to prepend “bomtrace2” to the front of the normal Debian
build command line.



The performance overhead of tracing is high, but I think we just need to do
it for the official release, not for the development build.



One idea is for the reproducible-build community to do this job: When
verifying a Debian package’s reproducibility, we can provide an extra
option or config to generate these additional OmniBOR documents. If we call
it STRONG-BUILD-REPRODUCIBILITY when the OmniBOR IDs are also the same for
multiple Debian package builds, then our tool can be enhanced to verify the
OmniBOR IDs in addition to the checksum of the Debian package.


Thanks,

Yongkui
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230121/608bca36/attachment.htm>