[Qa-jenkins-scm] [Git][qa/jenkins.debian.net][master] 2 commits: reproducible Debian rebuilder 'thing': improve description of this prototypes goals

Holger Levsen gitlab at salsa.debian.org
Fri May 8 11:50:10 BST 2020



Holger Levsen pushed to branch master at Debian QA / jenkins.debian.net


Commits:
c6143fa2 by Holger Levsen at 2020-05-08T12:44:46+02:00
reproducible Debian rebuilder 'thing': improve description of this prototypes goals

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
ca84206d by Holger Levsen at 2020-05-08T12:49:52+02:00
reproducible Debian rebuilder 'thing': treat sbuild failing as valid (out of scope)

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -


1 changed file:

- bin/reproducible_debian_rebuilder_prototype.sh


Changes:

=====================================
bin/reproducible_debian_rebuilder_prototype.sh
=====================================
@@ -8,11 +8,19 @@ cat << EOF
 
 ###########################################################################################
 ###											###
-### one goal is to create json export to integrate in tracker.d.o and/or packages.d.o.  ###
-### another is to polish /usr/bin/debrebuild from src:devscripts to enable anyone to    ###
-### independently verify that a distributed Debian binary packages comes from the       ###
+### This prototype is meant to achieve several goals:					###
+###											###
+### one goal of is to polish /usr/bin/debrebuild from src:devscripts to enable anyone   ###
+### to independently verify that a distributed Debian binary package comes from the     ###
 ### source package it's said to be coming from.						###
 ###											###
+### once this goal has been achieved we can document these steps. currently the answer	###
+### to the question "how can I verify installed package $x is reproducible?" is: "it's  ###
+### really complicated".								###
+###											###
+### another goal is to create json export to integrate in tracker.d.o and/or		###
+### packages.d.o as well as to provide statistics and graphs.				###
+###											###
 ### the aim is to develop a 'real world' view about the reproducibility of all the      ###
 ### packages distributed via ftp.d.o. - so far tests.r-b.o/debian only shows the 	###
 ### 'theoretical' reproducibility of Debian packages.                                   ###
@@ -144,7 +152,7 @@ output_echo "fetching source package $PKG ($VERSION)"
 # FIXME: debrebuild should download the source code too (--optionally) and verify it matches the one described in .buildinfo file. -> file another wishlist bug.
 # FIXME: except that this won't work, contrary to what we suggested, the .buildinfo files don't contain hashes of the source package built. bummer!
 dget --download-only --allow-unauthenticated https://deb.debian.org/debian/pool/main/$POOLPATH/$PKG/${PKG}_$EVERSION.dsc
-dscverify ${PKG}_$EVERSION.dsc || echo "Warning: failed to verify signature, continueing anyway."
+dscverify ${PKG}_$EVERSION.dsc || echo "Warning: failed to verify signature, continueing anyway." # FIXME: we can verify most sources in a Debian release, but never all. basically because keys expire. IOW: this is a pretty fundamental basic problem, for which I know no answer, so let's ignore it and move on ;) for now.
 
 # prepare rebuild command
 DEBREBUILD=$(mktemp -t debrebuild-cmd.XXXXXXXX)
@@ -212,7 +220,8 @@ if [ "$RESULT" != "0" ] ; then
 		output_echo "and no sbuild logfile found:"
 		ls -lart
 	fi
-	exit 1
+	output_echo "Warning: sbuild failed. Exiting cleanly as this is out-of-scope here."
+	exit 0
 fi
 set -e
 



View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/6a9110c1052a6381804d6d4ce31f0cd3946c404c...ca84206dd0ffbeb0e3d297c7882feb7145910781

-- 
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/6a9110c1052a6381804d6d4ce31f0cd3946c404c...ca84206dd0ffbeb0e3d297c7882feb7145910781
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20200508/add3829c/attachment-0001.html>


More information about the Qa-jenkins-scm mailing list