whatsrc: Added live-bootstrap provenance data
Andrius Štikonas
andrius at stikonas.eu
Sat Aug 31 19:13:31 UTC 2024
> Dear list,
>
> I've added live-bootstrap <https://github.com/fosslinux/live-bootstrap>
> to the list of distros I import. On the following page:
Thanks!
>
> https://whatsrc.org/artifact/sha256:b3a24de97a8fdbc835b9833169501030b8977031
> bcb54b3b3ac13740f846ab30
>
> It now lists this source code is considered `zlib 1.2.13` in
> live-bootstrap, it was also seen in Gentoo, Guix, openSUSE and Wolfi OS.
>
> From their readme, live-bootstrap's objective is:
> > How can a usable Linux system be created with only human-auditable,
>
> and wherever possible, human-written, source code?
>
> They also have a note about pre-processed source code archives:
> > GNU Guix is currently the furthest along project to automate
>
> bootstrapping. However, there are a number of non-auditable files used
> in many of their packages. Here is a list of file types that we deem
> unsuitable for bootstrapping.
>
> > [...]
> > 2. Any pre-generated configure scripts, or Makefile.in’s from autotools.
>
> I did find instances of source code inputs that seem autotools
> pre-processed:
Yes, at the moment we use upstream tarballs, so they do come with preprocessd
autotools files. But we try to rebuild them, e.g. here
https://github.com/fosslinux/live-bootstrap/blob/
71ff0a0481992c79347a57f622f3f091a985f67a/steps/libffi-3.3/pass1.sh#L8
we run autoreconf -fi. Though I've also seen some thread recently that
autoreconf -fi is not guaranteed to rebuild absolutely everything...
>
> libffi 3.3:
> https://whatsrc.org/artifact/sha256:72fba7922703ddfa7a028d513ac15a85c8d54c8d
> 67f55fa5a4802885dc652056 curl 8.5.0:
> https://whatsrc.org/artifact/sha256:42ab8db9e20d8290a3b633e7fbb3cec15db34df6
> 5fd1015ef8ac1e4723750eeb
>
> But I strongly agree with the overall stance.
>
> In total the following vendors are currently present in the database:
>
> - alpine
> - archlinux
> - crates.io (partial)
> - debian
> - fedora
> - gentoo
> - guix
> - homebrew
> - kali
> - live-bootstrap
> - opensuse
> - registry.yarnpkg.com (partial)
> - ubuntu
> - void
> - wolfi
> - yocto
>
> cheers,
> kpcyrd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240831/c9216b6b/attachment.sig>
More information about the rb-general
mailing list