[arch-dev-public] [RFC] Remove svn propset id's

Eli Schwartz eschwartz at archlinux.org
Wed Aug 29 20:44:21 UTC 2018 

On 8/29/18 4:23 PM, Jelle van der Waa wrote:
> Most of our PKGBUILDs svn propset's break reproducible builds and the
> pkgbuild_sha256sum in the BUILDINFO file. When building a package before
> commiting the PKGBUILD the propset $Id will differ since the $Id is set on
> commit.
> 
> This has a few implications, pkgbuild_sha256sum is useless and we can't
> reproduce packages due to the BUILDINFO not matching. Also the reproduce tool
> uses ASP to retrieve the PKGBUILD and therefore can't verify that it got the
> correct PKGBUILD (it relies on pkgbuild_sha256sum).
> 
> To resolve this issue we could simply remove the propset id's, since for
> me, although not sure about others they don't seem particulary useful.

I've never been entirely clear on their motivating purpose, in fact.


Also to expand on the general issue for people who aren't in
#archlinux-reproducible:

When you run extra-x86_64-build, you're using the PKGBUILD you're about
to commit, which svn will set to the expanded propset of the previous
commit... which matches no file ever seen by svn.

If you svn commit, and *then* extra-x86_64-build, then svn will actually
have the right file. What's the likelihood of people making sure to svn
commit before making sure the package actually builds as expected...

IIRC at least some packages seem to have been built by the svntogit
exported PKGBUILD (e.g. via asp) since their pkgbuild_sha256sum can be
obtained from asp.

This results in far too many ways to maybe get the actual file used to
build, and in the most likely scenario it requires deep forensics of the
svn repository.

...

svn propsets will die either way whenever we finally manage to migrate
away from svn and onto git.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20180829/4b335722/attachment.asc>

More information about the arch-dev-public mailing list