[Reproducible-builds] reproducible builds of FreeBSD in a chroot on Linux
erik+lists at cederstrand.dk
Wed Jun 17 09:07:12 UTC 2015
> Den 16/06/2015 kl. 23.50 skrev Holger Levsen <holger at layer-acht.org>:
> "Reproducible builds enable anyone to reproduce bit by bit identical binary
> packages from a given source, so that anyone can verify that a given binary
> derived from the source it was said to be derived. " - right now you have to
> *believe* someone that the binary really comes from said source. And you need
> to *believe* the system building it wasn't compromised...
The build should be immune to the time of the build, of course. That's fairly easy (e.g. use 'ar -D' consistently and leave DEBUG_FLAGS empty).
But what about the user who started the build? This leaks to at least sendmail config files.
Being agnostic to the path to the src root (e.g. /usr/src or /home/erik/freebsd/HEAD/src) requires rewriting the compiler __FILE__ macro to insert a relative path, and make debuggers understand relative paths. This is hard.
The FreeBSD subversion revision is also leaked several places.
I think reproduce builds are a noble goal and would enable all sorts of smart analysis, e.g. which binaries are affected by a certain commit. Just remember to define the requirements that need to be satisfied to get reproduce builds.
More information about the Reproducible-builds