would/Does it make sense to have .buildinfo feature into compiling tools as well ?

Ximin Luo infinity0 at debian.org
Tue Feb 14 19:23:00 UTC 2017 

shirish शिरीष:
> Dear all,
> 
> My idea/suggestion may be crap but still please go through it.
> 
> From whatever little I understand of reproducible builds, one of the
> basic things it tries to do is have a .buildinfo file which can be
> shared with the other person so that s(he) can use the .buildinfo file
> to generate the same binary and see that the checksums
> (sha1sum/sha256sum) are the same.
> 
> Wouldn't you say it would also make sense to have the same/similar
> feature built into compiling tools like make, cmake, premake etc. not
> just for the security POV but also to figure out build failures -
> 
> What do you think ?
> 
> The best thing about the .buildinfo file is that it gives/shares all
> the files needed for a build to happen, like in debian's case with
> dpkg-buildpackage to generate a debian binary.
> 
> Looking forward to know what people think of the idea ?
> 

Hi shirish, I think it's a good idea in principle. But then you have to decide what your eventual goal is, and whether it's worth the cost needed to achieve this goal. Do you have a particular build tool in mind, to start this for?

One thing I can see: .buildinfo files for Debian packages are relatively easy to make because there is one unified way to build a Debian package, and a compact way of describing what else is present on the system (Installed-Build-Depends). For other distributions, they all have similar concepts so it would not be much more expensive - RPM are working on something similar now.

With some other buildsystems, it is easy for them to describe what else is present on the system and was used as part of the build. For example languages that have their own package managers: haskell, ocaml, rust. With other buildsystems, this is harder. For example, C or C++ buildsystems. These pass around -I flags and so on, and they might not be able to describe this "compactly" as a package-version string. You might be able to do something equivalent by storing the hashes of all input files - some of which may be binary files, and they may or may not be reproducible. This would be more costly and might not be worth the effort. Or maybe it would, I don't know.

X

-- 
GPG: ed25519/56034877E1F87C35
GPG: rsa4096/1318EFAC5FBBDBCE
https://github.com/infinity0/pubkeys.git

More information about the Reproducible-builds mailing list