RBOS / reproducible-openSUSE

James Addison jay at jp-hosting.net
Tue Feb 25 12:34:06 UTC 2025 

Hi Bernhard,

On Tue, 18 Feb 2025 at 12:22, Bernhard M. Wiedemann via rb-general
<rb-general at lists.reproducible-builds.org> wrote:
> [ ... snip ... ]
> I have some good news to share about my small openSUSE fork project
> https://news.opensuse.org/2025/02/18/rbos-project-hits-milestone/
> that was sponsored by a grant from NLnet.

Many congratulations on building a 100% bit-for-bit reproducible Linux
distribution!

I'd been preparing to ask whether it's possible to uniquely identify
the resulting distro build -- however, if I understand correctly, the
pbuild process already does that[1], by emitting a
checksum-of-checksums of the (locale-agnostically) sorted RPM
packages?

> In the process, I noticed that there are two different variants of
> reproducible builds that we commonly mix together.
>
> There is the first variant where you have an official build and with the
> help of some buildinfo data, people are able to independently produce
> bit-identical binaries.
>
> And then there is the second variant where all required information is
> part of the source, so you can do rebuilds without any official build
> happening somewhere.
> [ ... snip ... ]
> Do we have some existing terminology to distinguish these two kinds of r-b?

Personal opinion: in cases where the dependencies listed in buildinfo
files are themselves FOSS and reproducible, then the two variants are
more similar than they are different.  Under those conditions, the
buildinfo files are similar to links in a graph; and when completely
expanded/flattened, that graph should be equivalent to the complete
source code used during variant-two style builds

If a distro constructed using the second variant method is
self-hosting -- that is, after building it from source, it can be used
to rebuild itself again, producing the same bit-for-bit identical
outcome -- then I would suggest calling that a bootstrapped
reproducible distro.

Regards,
James

[1] - https://build.opensuse.org/projects/home:bmwiedemann:reproducible:distribution:ring1/packages/000pbuildconf/files/sha256sums

More information about the rb-general mailing list