SUSE r-b
Bernhard M. Wiedemann
bernhardout at lsmod.de
Thu Jul 31 13:31:35 UTC 2025
Hello fellow R-B-ings,
I have quite some news.
While I have been working part-time on reproducible-builds for openSUSE
since 2016, it was never an official SUSE project.
Even last year, when I took four months of unpaid leave from SUSE to
work on RBOS [1] as my heart desired...
But that changed earlier this year when reproducible-builds for SLES-16
became an official goal for the product. More people are talking about
digital sovereignty and supply-chain security now.
Since then I have been testing and sending fixes as fast as I could.
In the July monthly report [2] we now have more SUSEans contribute fixes
than I ever thought would happen. Even for complicated stuff like emacs.
And we fixed issues that were around for years (e.g. in llvm since at
least 2018, numpy, mozilla-nss...)
While there are still some issues left, we document in a README [3] how
to verify binaries anyway for many of them, e.g.
colord: needs AVX2 on the build machine (bsc#1237156)
java-21-openjdk: needs to be built on a 4-core VM (bsc#1221224)
memcached: needs to be built before year 2038 (bsc#1246407)
And I added a package named SLES-reproducible-builds that blocks
installation of remaining known-unverifiable packages via rpm's
"Conflicts" mechanism.
Today, only 9 of 3319 (source) packages have significant problems left
(plus 7 with pending fixes), so 99.5% of packages have reproducible builds.
There are remaining questions on how to handle binaries pesign-ed for
secure boot and how to best get kiwi to produce bit-reproducible images
for iso, VMs and containers.
We still have a few months until release, so let's see how nice it will
be in the end.
There is always more left to do (e.g. for openSUSE Factory with its 16k
packages).
Ciao
Bernhard M.
[1]
https://lists.reproducible-builds.org/pipermail/rb-general/2025-February/003661.html
[2] https://reproducible-builds.org/reports/2025-07/
[3]
https://build.opensuse.org/projects/home:bmwiedemann/packages/SLES-reproducible-builds/files/README
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250731/30513618/attachment.sig>
More information about the rb-general
mailing list