On Mon, 20 Jun 2022 08:06:33 GMT, Johan Vos <[email protected]> wrote:
> But if we want to have reproducibility amongst ephemeral systems, there is
> lots of other work to be done.
On the contrary, it's precisely these well-defined ephemeral systems that make
it easy to reproducible a build. The only other work to be done is to share the
build log.
For example, I build JavaFX in a transient container that installs the latest
build of Ubuntu 18.04, the current release of OpenJDK, and the following extra
packages: `pkg-config`, `libgtk2.0-dev`, `libxtst-dev`, `libgtk-3-dev`, and
`libxxf86vm-dev`. With that information, along with the date, the build script,
and the JavaFX release tag, anyone can reproduce the build environment. If we
allow for reproducible builds, anyone could reproduce the build and get
bit-by-bit identical output.
The Launchpad build farm I use just happens to produce a software bill of
materials. Yet even without the official SBOM, the build log itself works just
as well. Any complete build log from a transient system can serve as a software
bill of materials and allows anyone to reproduce the build even years later.
If parts of your build are proprietary, you could hire someone to verify your
build by reproducing it, in the same way you might hire an accountant to audit
your business by verifying its financial records. That verification is the best
countermeasure against a supply-chain attack, giving you confidence that the
packages you release have not been compromised.
> From a previous comment ("The SBOM is the next step ...") I understand that
> the goal is not reproducibility in any environment though ...
That previous comment on the SBOM was because Kevin was testing on his own
permanent, non-transient development workstation where it's difficult to match
all the system libraries that affect the output of a build. (Even Kevin wasn't
quite sure how his system was different from the transient CI system.) The CI
build, though, if it's done in a transient VM or container, will be completely
described by its build log, so it's straightforward to reproduce.
There are benefits for the OpenJFX project to have reproducible builds beyond
detecting supply-chain attacks. In fact, I think there are still benefits even
if it were only possible on the exact same system. Let me know if you need more
convincing. 😄
-------------
PR: https://git.openjdk.org/jfx/pull/446
