Reproducible Builds for Fedora (a reboot)
Hi, In 2013, I worked very briefly on enabling reproducible builds for Fedora, https://securityblog.redhat.com/2013/09/18/reproducible-builds-for-fedora/ After attending the "Reproducible Builds World Summit" recently, I am inspired again to help out in getting this done. https://reproducible-builds.org/docs/ has lot of excellent information on getting reproducible builds, and why it is important. I found the following presentations to be excellent in understanding the subject, https://reproducible.alioth.debian.org/presentations/2015-08-13-CCCamp15.pdf https://mikem.fedorapeople.org/Talks/flock-2015-koji-reproducibility/#/ Also, https://github.com/kholia/ReproducibleBuilds has scripts, and documentation to help in getting reproducible builds for Fedora. Dhiru -- devel mailing list devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
Reproducible Builds in Fedora
Hi, I have been working on having Reproducible Builds in Fedora for some time. At this point, I think I have something demoable. Ensuring Reproducible Builds is a big task and I want your feedback, ideas, code and support. Please see https://github.com/kholia/ReproducibleBuilds for details. I would like to thank Debian and Ubuntu folks for starting similar projects (and inspiring this work). Reproducible Builds === It should be possible to reproduce every build of every package in Fedora. We want to be able to show that our binary was the result of our source code from our compiler and nobody added anything along the way. Can we (upstream / vendor) show that one of our rpms was built from the source we ship? It should be possible for the users to verify that the binary matches what the source intended to produce, in an independent fashion. We (the distribution provider) shouldn't be forced to say Trust Us to our users at all. Steps Involved == * Recording the build environment (DONE) - Koji does this automatically :-) * Re-producing the build environment (DONE) - Retrieve brootid (buildrootID) corresponding to the NVR we want to test from Koji (DONE) - Replicate this buildroot (DONE) - Create replica build environment using Mock (DONE) * Do re-builds locally using mock (DONE) * Verify new build against upstream (DONE, Steve's script works great) Current State = * Packages like git, john and qpdf are 100% reproducible as far as code is concerned :-) Current Challenges == See http://tinyurl.com/ReproducibleBuildsProblems * python-epydoc will add timestamps to the HTML file it produces ( needs FIXING). * javadoc will add timestamps to the HTML file it produces (needs FIXING). Links = https://wiki.debian.org/ReproducibleBuilds http://fedoraproject.org/wiki/Releases/FeatureBuildId#Unique_build_ID http://blogs.kde.org/2013/06/19/really-source-code-software https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise https://trac.torproject.org/projects/tor/ticket/5837 https://trac.torproject.org/projects/tor/ticket/3688 http://bazaar.launchpad.net/~ubuntu-security/ubuntu-security-tools/trunk/files/head:/package-tools/ -- Dhiru -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct