From srebuild sbuild-wrapper to debrebuild

Johannes Schauer josch at debian.org
Thu Nov 10 07:54:13 UTC 2016 

Hi all,

On Tue, 02 Aug 2016 22:49:00 +0200 Johannes Schauer <josch at debian.org> wrote:
> I was thinking about this issue again and thought that instead of creating a
> wrapper for sbuild which then uses a chroot-setup hook to install the
> dependencies, what I should instead do is to let sbuild itself accept
> .buildinfo files and then do the right thing like:
> 
>  - use snapshot.d.o to retrieve the right timestamps needed to gather all
>    packages
>  - mangle the build dependencies such that the source package now depends on
>    the exact right package versions and let the resolver figure out the rest
>    (thanks Benjamin for that idea)
>  - check whether the generated binaries produce the same checksum as given in
>    the supplied buildinfo file
> 
> But then on IRC, HW42 suggested to approach this problem differently. Instead
> of integrating the functionality of figuring out the right repositories to
> reproduce the contents of a buildinfo file into sbuild, write a tool that can
> drive any package builder (like pbuilder).
> 
> I now wrote such a script.

now that libdpkg-perl comes with support for .buildinfo files, I improved the
script (new version attached) with the following changes:

 - don't use DateTime::Format::Strptime but Time::Piece instead (which is a
   perl core module)
 - don't use CTRL_INDEX_SRC but CTRL_FILE_BUILDINFO now that dpkg supports
   .buildinfo files
 - Dpkg::Compression::FileHandle as it is not needed
 - the .dsc file name is no longer part of the .buildinfo file, so assemble the
   .dsc file name from the package name and version using Dpkg::Source::Package
 - use the information from the Environment field
 - instead of splitting Installed-Build-Depends manually, use
   Dpkg::Deps::deps_parse
 - instead of using [trusted=yes], retrieve the gpg key of the reproducible
   builds repository and verify its fingerprint
 - set Binary::apt-get::Acquire::AllowInsecureRepositories to false so that
   apt-get fails to update repositories it cannot authenticate
 - use Dpkg::Vendor to retrieve the keyring filenames

Thanks to Guillem Jover for the code review!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debrebuild.pl
Type: text/x-perl
Size: 16202 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20161110/2b2dd557/attachment.pl>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20161110/2b2dd557/attachment.sig>

More information about the Reproducible-builds mailing list