On 2017-09-18 00:26, Russ Allbery wrote:
2. Set the entire environment to the environment specified in buildinfo
when doing a reproducible build. I think this is conceptually the
simplest, but it means that we should make every tool that builds
official Debian packages use the same environment variable logic so
that the buildinfo file completely captures the environment (without
leaking random, inappropriate things into buildinfo). It also means
effectively giving up on debian/rules build being a path for making
a
reproducible build, since we don't have control over that
environment,
but I think it will be hard to make that work anyway.
FWIW this is the approach we've taken on both of the Baserock build
tools, and for BuildStream [1].
Given that it's trivially easy for a build script to try to call out to
the internet (eg fetch tarball, git clone), or look for custom
environment variables, we think it's clearly safest to put everything in
a sandbox and be explicit about resources, network and environment
variables.
br
Paul
[1] https://wiki.gnome.org/Projects/BuildStream/