Hi Wouter,

sorry for the late reply but I think it's still relevant...
(just thus rather leaving almost full quote as context.)

On Thu, Jul 08, 2021 at 11:25:26AM +0200, Wouter Verhelst wrote:
> On Mon, Jul 05, 2021 at 12:31:10PM +0000, Holger Levsen wrote:
> > On Mon, Jul 05, 2021 at 02:09:36PM +0200, Mathieu Parent (Debian) wrote:
> > > > Do you have plans to support publishing builds only if they've produced
> > > > bit by bit identical results on several builders? IOW, do you plan to
> > > > support reproducible builds? :)
> > > There is no specific support for reproducible builds. Currently,
> > > But reproducibility can be tested in GItlab jobs, before the upload.
> > that's nice, but rather theoretic (however common it is today) in practice 
> > :)
> > It would be really interesting / a game changer, to have a publishing option
> > which would only allow publishing of builds proven in practice to be 
> > identical.
> It's actually fairly easy to do that:
> - Create two runners, with different tags (e.g., one tagged "build1",
>   and one tagged "build2"). One can be a docker runner, the other a
>   shell runner, just to keep things interesting.
> - Create two jobs that build the same source in ways that might trigger
>   reproducability issues (I'm sure you're better at this than me). Make
>   sure that they don't store their artifacts in the same location (e.g.,
>   one job runs "dcmd mv ../*.changes products/build1/", and the other
>   one does "dcmd mv ../*.changes products/build2/").
> - Have a third job that depends on both the above two jobs, and that
>   runs diffoscope over the artifacts of both jobs. If and only if the
>   diffoscope doesn't reveal any issues, run dput to upload the packages.
> I think the salsa-CI team can easily add support for this to their
> generic pipeline...

that would be really nice, thank you for explaining this idea so well!

just one thing: here we do *not* want to trigger reproducibility issues,
rather the opposite: if we manage to do two builds resulting in exactlty
the same .deb(s), we are happy.

because here, our focus would be to publish things :)

elsewhere we do have a well known setup to find problems... 


 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C

When this virus is over, I still want some of y'all to stay away from me.

Attachment: signature.asc
Description: PGP signature

Reply via email to