Non-Reproducible Packaging outside distros
danielsh at apache.org
Sun Dec 11 23:47:30 UTC 2016
Emanuel Bronshtein wrote on Sun, Dec 11, 2016 at 15:57:09 +0100:
> Some software has packaging process that occur when distributing the software,
> for example in PHPMyAdmin (PHP software) the 'create-release.sh' script:
> has reproducibility issues:
> The phpmyadmin packages (in debian & other distros) are based on the above released package.
> which mean that there is a spof (single points of failure) on the release manager.
So the upstream project should diff the tarballs to the VCS tag.
> related questions/suggestions:
> 1. how to identify software packages that depend on upstream non-reproducible packaging? (then fix the related bugs)
This varies by language. For C projects, a 'configure' script is
usually a generated file. Other langauges (and build tools) have their
own things. A second problem is to detect whether the downstream build
script relies on the upstream generated files, or regenerate them.
> 2. maybe elaborate more in https://reproducible-builds.org about processes that similar to build (compile stuff) but also need to be reproducible. (in order to raise awareness)
> 3. It will be better to verify the upstream packaging process in the future.
a) _What_ should be reproducible? The path from a VCS tag to a tarball?
The path from a tarball to a compiled binary? The path from a VCS tag
to a compiled binary [as a single, atomic step]?
b) How do you define the input to the "generate a tarball" step? A VCS
tag? How is the corresponding tree represented? (e.g., Git tree
object, Git fast-export stream, ext2 filesystem image, `find -ls`
All that said, I think this discussion is better suited to the
rb-general@ list; perhaps move/restart the thread there?
More information about the Reproducible-builds