NetBSD Reproducibility Report #6

Jan-Benedict Glaw jbglaw at lug-owl.de
Mon Dec 9 11:55:23 UTC 2024 

On Mon, 2024-12-09 10:15:57 +0000, Holger Levsen <holger at layer-acht.org> wrote:
> On Sun, Dec 08, 2024 at 10:52:27PM +0100, Jan-Benedict Glaw wrote:
> > I've just published the 6th NetBSD reproducibility report [1]. It how
> 
> I find it interesting, that more builds on linux are reproducible than
> on netbsd!

Don't know how that happened, but I'll work on getting the
NetBSD-based builds to build reproducible as well.

> & I didn't find checksums anywhere, are they behind URLs like

Of what would you like to have checksums? I do four builds (two on a
Linux host, two on a NetBSD host), create a tarball of the release
artifacts and just create a checksum over all four tarballs.

  Those are initially compared as pairs (the two NetBSD builds on one
hand and the two Linux-based builds on the other hand), and if both
compare successfully, I also check the checksums of the Linux-based
builds with those of the NetBSD build.

  I don't know if it's any good to publish my tarball's checksums.
Maybe a manifest (with checksums) of the whole release tree
(containing kernel images, install filesystems, ...) might be useful
to have, but that's actually already (mostly) there:

root at lili:~/evbarm-earmv6/b1/_rel_# find|sort|grep -E '(MD5|SHA)'
./evbarm-earmv6/binary/kernel/MD5
./evbarm-earmv6/binary/kernel/SHA512
./evbarm-earmv6/binary/sets/MD5
./evbarm-earmv6/binary/sets/SHA512

As for the evbarm port: some install stuff isn't covered:

./evbarm-earmv6/installation/bootmini2440
./evbarm-earmv6/installation/instkernel
./evbarm-earmv6/installation/instkernel/netbsd-RPI_INSTALL.gz
./evbarm-earmv6/installation/instkernel/netbsd-RPI_INSTALL.img.gz
./evbarm-earmv6/installation/instkernel/netbsd-RPI_INSTALL.symbols.gz
./evbarm-earmv6/installation/ramdisk
./evbarm-earmv6/installation/ramdisk/ramdisk.fs
./evbarm-earmv6/installation/ramdisk/ramdisk.ub


> http://toolchain.lug-owl.de/laminar/jobs/nnetbsd-mvme68k-m68k/30
> which dont work for me with firefox (initial loading of the page is
> fine, but as soon as I scroll I only see a white page and the tab
> becomes unresponsive), does chromium work better?

That's potentially a 300 MB'ish download containing a verbose build
log; better look at that with `curl`...

> & so I'm wondering: do the linux builds produce the exact same artifacts
> as the builds on netbsd?

When there is a "reproducibility star" in the final column (called
"All four builds"), then the tarball containing all release artifacts
are bit-identical for all four builds. (Getting even one all-fours is
a great achievement, but we're already at 44, nearly half of all
combinations, and a few of them are actually completely dead, like
or1k, playstation2-mipsel, sgimips-mips64eb, evbcf-coldfire,
arc-mips64el.)

MfG, JBG

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20241209/62339412/attachment.sig>

More information about the rb-general mailing list