Hi, today I skimmed the ReproducibleBuilds wiki page and read that "A build tool that would reproduce a build environment using packages from snapshot.debian.org is still missing.".
As I understand it, this task mainly boils down to finding a snapshot that all package versions in the .buildinfo file have been retrieved from. The following Expat licensed Python script tries to figure this out: https://github.com/josch/buildinfo2snapshot This is just a proof of concept. If what I'm doing there is found to be sane, I'll clean this script up and maybe it could be integrated in a package like devscripts? The script essentially calls the same snapshot.d.n API functions as are used by debsnap(1) but instead of downloading the binary packages, it notes the timestamp on which the version was first seen. After having done this for all binary packages in the .buildinfo file, it picks the most recent of these timestamps and downloads the Packages.gz of that timestamp from snapshot.d.o and verifies that this Packages file indeed contains all requested versions. Limitations: 1. the only suite the script will search in right now is "sid". There seems to be no facility to find out which suite a binary package comes from using the snapshot.d.o API. I reported this as bug #774279. In the future it should be possible to also find snapshots in "testing" or "stable" but since buildds build using sid, this seemed to be a good first target. 2. the only archive area supported is "main" 3. if not all binary packages are found in a single snapshot, then an error is thrown All three problems above lead to the problem of: what to do if the package versions specified in the .buildinfo file cannot be found in a single snapshot? This is a problem because debootstrap (which is used to setup the initial chroot by sbuild and pbuilder) only understands a single mirror URL. The solution would be to either fix debootstrap or using multistrap which uses apt and hence can handle any number of mirror URLs. The latter solution is probably the cleaner and more flexible one. Multistrap also allows to specify the exact package version to install (as it just hands this over to apt). So solving the task "A build tool that would reproduce a build environment using packages from snapshot.debian.org" would require: 1. Extending buildinfo2snapshot such that instead of throwing an error in case not all package versions can be found in a single snapshot, it would just return a list of snapshot timestamps which together contain all versions 2. Adapting the tools which are used to create sbuild and pbuilder chroot to use multistrap and allow: 2.1. Multiple mirror URIs 2.2. A list of versioned binary packages Does this sound like a plan? An alternative mode of operation of buildinfo2snapshot would be to bisect the snapshot archive until a snapshot is found that contains the requested binary package versions. This would have the advantage that the additional information about the versions at more timestamps would allow to calculate a smaller final selection of mirror URLs than the last_seen attribute returned by the API together with missing suite information (see bug #774279) allows. The disadvantage would be that downloading multiple Packages files is probably less nice than using the API, bandwidth wise. cheers, josch _______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds