On Sat, 08 Apr 2017 06:52:58 -0400, Bill Auger wrote: > id like to clarify a bit what i think are some mis-conceptions > expressed yesterday in the IRC channel regarding reproducible builds
Hi Bill, The first step is that we simply need better tracking of exactly what source is being used to produce a package--we have a real deficiency here introduced when we ditched Arch's SVN-based tooling for git. I expect to publish a new release of libretools in the next week will resolve this build-side. After that, where the information goes after it is uploaded has a few unresolved questions. While I'm not giving up on PBS as a long-term solution, I believe that an MVP/POC can be worked out very quickly with some minimal changes to dbscripts. This is really a prerequisite to beginning any real work on R-B. > a jenkins server is not a requirement for this task - there is no > standard procedure or tooling to achieve reproducibility - the > jenkins integration is for the reproducible-builds.org CI server to > demonstrate that packages can be built and verified by a third-party > - for the actual work each distro is free to use whatever procedure > and tools suits them for the plainly speaking general goal of making > their builds reproducible I do think that borrowing/building on the work that has been done for the tests.R-B.org/archlinux server is a good idea. I'm not sure Jenkins itself is entirely necessary though; it seems a little heavyweight for what is a pretty simple task. (Well, there are several complicated bits of the task, but they aren't the parts addressed by Jenkins). > that being said - the jenkins integration is already done - arch has > been working with them for some time and arch packages are already > building on the "reproducible-builds" CI server It's currently a TODO item on the Arch jenkins to use disorderfs. This is definitely a requirement for me. Who runs that server? Is it donated by anthraxx, the R-B team, or someone else? > - also to be clear > they are not the AUR packages but the official arch packages - the > next major step forward for arch and parabola is to patch pacman to > reproduce and verify builds - ive been told that this patch is > completed and nearly ready to be implemented widely There are deficiencies in anthraxx's code; I've posted a review of it: https://github.com/anthraxx/pacman/commit/69a94ad47cec921f01f886c4fd310e9f2ca800d3 I've also mostly completed it--we have a tool `librefetch` which at runtime creates a patched copy of makepkg that produces reproducible tarballs; most of that can be re-used (we'll just have to apply the changes to the version supplied in the main `pacman` package). > so there are no major technical blocks to begin - the first step for > parabola is to address the TODO: items on the wiki article - > > 2.2 make pacman produce reproducible builds > > > > this task is mostly completed - arch developer 'anthraxx' See above. > anthraxx and the reproducible-builds team are eager to work with > parabola once some planning, competency, and/or current efforts are > demonstrated publicly > > https://wiki.parabola.nu/Reproducible_Builds -- Happy hacking, ~ Luke Shumaker _______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
