Arch Linux minimal container userland 100% reproducible - now what?

[kpcyrd]

On 3/20/24 19:21, David A. Wheeler via rb-general wrote:
> But you know what I'm going to ask :-). What steps are left, if any, before the "normal" Arch Linux packages that people install are reproducible (at least in core Arch Linux)? Has that milestone been achieved? Will it be achieved once some package updates are released? Or is there something more, and if so, what is it?
> 
> Sorry, it wasn't clear to me if this was some sort of special set of "test packages" or if they were the normal Arch Linux packages.

hi, thanks for raising this question so I can clarify. :)

This is already the real deal, it's exact matches with the packages on 
our mirrors as used and installed by users.

For a minimal bootable Arch Linux system (using systemd-boot instead of 
grub) there's only the Linux kernel missing - this is because of 
CONFIG_MODULE_SIG=y being set in our kernel.

I also tried installing a minimal usable graphical system with lightdm, 
i3 and alacritty, on that setup there's only 4 unreproducible packages 
left (according to data from reproducible.archlinux.org):

- cairo: this was a build failure due to network issues, two other 
rebuilders have cleared this package so hopefully it's getting marked as 
reproducible on the next automatic retry
- libjpeg-turbo: this package contains a .jar file that is built by 
CMake and contains timestamps of the buildtime, but there's no way in 
CMake to pass --date to the jar executable to normalize this
- librsvg: the 3 rebuilders I've checked produced a .text section that 
is 6 bytes shorter (0x2dda2c vs 0x2dda26), I didn't investigate further 
yet, the diff is quite long because a lot of addresses are mismatching 
as a consequence
- linux: explained above

For CMake I've opened an issue in their gitlab that could be used to 
track this topic (or work on it): 
https://gitlab.kitware.com/cmake/cmake/-/issues/25804

cheers,
kpcyrd