Introducing: Semantically reproducible builds
Bernhard M. Wiedemann
bernhardout at lsmod.de
Mon May 29 08:31:23 UTC 2023
On 29/05/2023 05.25, David A. Wheeler wrote:
> If you have tips on common likely errors, please post, I think
> that would be of interest to many.
https://github.com/openSUSE/build-compare/issues/53
https://github.com/openSUSE/build-compare/issues/33
https://github.com/openSUSE/build-compare/pull/36
https://github.com/openSUSE/build-compare/pull/28
We use bash there to not add dependencies.
Looking at the bugs, those were mostly problems of tracking state in
variables.
It would be less troublesome if we would not use it like diffoscope to
report all diffs, but instead exit on the first relevant diff to keep it
simple.
>> The cleaner way is to use strip-nondeterminism to remove all these
>> insignificant bits during build and make the resulting bit-reproducible
>> output the official binary.
>
> As a *recipient* who has no control over the build process used by
> someone else to create their package, I need some workable
> alternatives to estimate risk.
A recipient could still use strip-nondeterminism (and custom sed) on
both files before calling diff.
Testing for bit-identity is trivial.
Testing for semantic equivalence is not.
To ensure that the filters did not remove significant parts (e.g. sed
/.*//), they should then use the filtered version in production.
Ciao
Bernhard M.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230529/20436513/attachment.sig>
More information about the rb-general
mailing list