[Reproducible-builds] reproducible OpenWRT?

Holger Levsen holger at layer-acht.org
Sun Jun 14 21:11:46 UTC 2015 

Dear OpenWRT developers,

to quote https://reproducible.debian.net/openwrt/ ;-)

Reproducible builds enable anyone to reproduce bit by bit identical binary 
packages from a given source, so that anyone can verify that a given binary 
derived from the source it was said to be derived. There is a lot more 
information about reproducible builds on the Debian wiki and on 
https://reproducible.debian.net. The wiki has a lot more information, eg. why 
this is useful, what common issues exist and which workarounds and solutions 
are known.

Reproducible OpenWrt is an effort to apply this to OpenWrt Thus each OpenWR 
target is build twice, with a few varitations added and then the resulting 
images and packages from the two builds are compared using debbindiff, which 
currently cannot detect .bin files as squashfs filesystems. Thus the resulting 
debbindiff output is not nearly as clear as it could be - hopefully this 
limitation will be overcome soon. Also please note that the toolchain is not 
varied at all as the rebuild happens on exactly the same system. More 
variations are expected to be seen in the wild.

There is a monthly run jenkins job to test the master branch of openwrt.git. 
Currently this job is triggered more often though, because this is still under 
development and brand new. The jenkins job is simply running 
reproducible_openwrt.sh in a Debian environment and this script is solely 
responsible for creating this page. Feel invited to join #debian-reproducible 
(on irc.oftc.net) to request job runs whenever sensible. Patches and other 
feedback are very much appreciated!

---end-quote------

And that's basically it. Go have a look at the above URLS and you might also 
be interested to know that https://reproducible.debian.net/coreboot shows 100% 
success for coreboot _atm_ (there are more variations in the wild and not all 
payloads tested) and Debian sid is currently at 82% reproducibility.

I've only looked at very few .ipk packages linked in openwrt.html but all I've 
looked at only need a simple modification when creating the inside tarballs to 
set that these creation dates to the time+date of the last modification of the 
source code...

Support to better analyze .bin squashfs files with debbindiff will be added 
eventually, also we will build more openwrt targets soon too.

And then we might actually do full release rebuilds too and see if we can 
reproduce your released files bit by bit one day ;-)


Last and definitly not least: thanks a lot for OpenWRT - I happily use it 
daily! :)

cheers,
	Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150614/696a3746/attachment.sig>

More information about the Reproducible-builds mailing list