[Reproducible-builds] reproducible builds of FreeBSD in a chroot on Linux

Erik Cederstrand erik+lists at cederstrand.dk
Wed Jun 17 09:07:12 UTC 2015


> Den 16/06/2015 kl. 23.50 skrev Holger Levsen <holger at layer-acht.org>:
> 
> "Reproducible builds enable anyone to reproduce bit by bit identical binary 
> packages from a given source, so that anyone can verify that a given binary 
> derived from the source it was said to be derived. " - right now you have to 
> *believe* someone that the binary really comes from said source. And you need 
> to *believe* the system building it wasn't compromised...

The build should be immune to the time of the build, of course. That's fairly easy (e.g. use 'ar -D' consistently and leave DEBUG_FLAGS empty).

But what about the user who started the build? This leaks to at least sendmail config files.

Being agnostic to the path to the src root (e.g. /usr/src or /home/erik/freebsd/HEAD/src) requires rewriting the compiler __FILE__ macro to insert a relative path, and make debuggers understand relative paths. This is hard.

The FreeBSD subversion revision is also leaked several places.

I think reproduce builds are a noble goal and would enable all sorts of smart analysis, e.g. which binaries are affected by a certain commit. Just remember to define the requirements that need to be satisfied to get reproduce builds.

Erik


More information about the Reproducible-builds mailing list