[Qa-jenkins-scm] [Git][qa/jenkins.debian.net][master] 2 commits: reproducible Debian rebuilder 'thing': improve description of this prototypes goals
Holger Levsen
gitlab at salsa.debian.org
Fri May 8 11:50:10 BST 2020
Holger Levsen pushed to branch master at Debian QA / jenkins.debian.net
Commits:
c6143fa2 by Holger Levsen at 2020-05-08T12:44:46+02:00
reproducible Debian rebuilder 'thing': improve description of this prototypes goals
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
ca84206d by Holger Levsen at 2020-05-08T12:49:52+02:00
reproducible Debian rebuilder 'thing': treat sbuild failing as valid (out of scope)
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
1 changed file:
- bin/reproducible_debian_rebuilder_prototype.sh
Changes:
=====================================
bin/reproducible_debian_rebuilder_prototype.sh
=====================================
@@ -8,11 +8,19 @@ cat << EOF
###########################################################################################
### ###
-### one goal is to create json export to integrate in tracker.d.o and/or packages.d.o. ###
-### another is to polish /usr/bin/debrebuild from src:devscripts to enable anyone to ###
-### independently verify that a distributed Debian binary packages comes from the ###
+### This prototype is meant to achieve several goals: ###
+### ###
+### one goal of is to polish /usr/bin/debrebuild from src:devscripts to enable anyone ###
+### to independently verify that a distributed Debian binary package comes from the ###
### source package it's said to be coming from. ###
### ###
+### once this goal has been achieved we can document these steps. currently the answer ###
+### to the question "how can I verify installed package $x is reproducible?" is: "it's ###
+### really complicated". ###
+### ###
+### another goal is to create json export to integrate in tracker.d.o and/or ###
+### packages.d.o as well as to provide statistics and graphs. ###
+### ###
### the aim is to develop a 'real world' view about the reproducibility of all the ###
### packages distributed via ftp.d.o. - so far tests.r-b.o/debian only shows the ###
### 'theoretical' reproducibility of Debian packages. ###
@@ -144,7 +152,7 @@ output_echo "fetching source package $PKG ($VERSION)"
# FIXME: debrebuild should download the source code too (--optionally) and verify it matches the one described in .buildinfo file. -> file another wishlist bug.
# FIXME: except that this won't work, contrary to what we suggested, the .buildinfo files don't contain hashes of the source package built. bummer!
dget --download-only --allow-unauthenticated https://deb.debian.org/debian/pool/main/$POOLPATH/$PKG/${PKG}_$EVERSION.dsc
-dscverify ${PKG}_$EVERSION.dsc || echo "Warning: failed to verify signature, continueing anyway."
+dscverify ${PKG}_$EVERSION.dsc || echo "Warning: failed to verify signature, continueing anyway." # FIXME: we can verify most sources in a Debian release, but never all. basically because keys expire. IOW: this is a pretty fundamental basic problem, for which I know no answer, so let's ignore it and move on ;) for now.
# prepare rebuild command
DEBREBUILD=$(mktemp -t debrebuild-cmd.XXXXXXXX)
@@ -212,7 +220,8 @@ if [ "$RESULT" != "0" ] ; then
output_echo "and no sbuild logfile found:"
ls -lart
fi
- exit 1
+ output_echo "Warning: sbuild failed. Exiting cleanly as this is out-of-scope here."
+ exit 0
fi
set -e
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/6a9110c1052a6381804d6d4ce31f0cd3946c404c...ca84206dd0ffbeb0e3d297c7882feb7145910781
--
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/6a9110c1052a6381804d6d4ce31f0cd3946c404c...ca84206dd0ffbeb0e3d297c7882feb7145910781
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20200508/add3829c/attachment-0001.html>
More information about the Qa-jenkins-scm
mailing list