Arch Linux minimal container userland 100% reproducible - now what?

Michael Schierl schierlm at gmx.de
Tue Mar 26 16:03:04 UTC 2024


Hello,

Am 26.03.2024 um 12:47 schrieb kpcyrd:

> With the model of reproducible builds, as currently implemented by the
> Arch Linux community, each group tries to reproduce the binary package
> from source repeatedly until they get an exact match. A group listing a
> package as 'GOOD' is claiming they have managed (at some point) to
> confirm the binary can be built when executing the given build
> instructions on the given source code.

So we can expect many year/month pairs embedded in manpages that got
unnoticed since mostly the build happens in the same month? Or have they
been manually vetted?

> I think this falls under "bootstrappable builds", a bare amd64 computer
> still needs something to boot into (a CD with only source code won't do
> the trick).
>
> Implementing this can get quite involved and as of 2024 is not a
> personal priority for me (I'm just side-questing this along with a few
> other people on top of our actual dayjobs), if anybody is interested in
> working on this they are welcome to join #archlinux-reproducible on
> libera, but I'm also not aware of any other distro having integrated
> with https://bootstrappable.org/ yet.

Apart from Guix pushing bootstrappable builds for quite some time,
recent builds of Freedesktop SDK (container userland mostly used for
flatpaks) are fully bootstrapped from stage0 - except for Rust which is
not boostrapped via mrustc but built using the binary package from upstream.


Assuming I wanted to bootstrap some (non-reproducible) Arch setup from
Freedesktop SDK and then use it to verify the reproducible builds, what
steps would I have to take?

Probably build pacman and other Arch specific tools and all the
build-dependencies of minimal container userland (which are not included
in Freedesktop SDK) once from source? Then use those to build the exact
versions in BUILDINFO files for all packages that are part of minimal
container userland? And then start up some tooling that will fetch the
sources and reproduce them one by one? Or would I have to use the
versions in BUILDINFO again to build the dependencies until a fixed
point is reached, before I could start reproducing the packages?

Has anything like that been tried for Arch? How many dependency loops
are there in the build dependencies of the packages mentioned above, and
can they be broken by using packages from Freedesktop SDK?


Just asking,


Michael



More information about the rb-general mailing list