[arch-dev-public] [rb-general] Arch Linux reproducible package archives
Eli Schwartz
eschwartz at archlinux.org
Sun Jan 13 23:18:43 UTC 2019
In the effort to have reproducible builds, it is important to have
availability of all dependent packages listed in the .BUILDINFO
description of a built package. Due to previous efforts within Arch
Linux, we do have a daily snapshot of the repos, but this could
potentially result in missing packages if they were added and then
removed during the course of a single day, and thus never showed up in a
snapshot.
I'm happy to say that this past Friday, I have upgraded the dbscripts to
automatically archive every built package as a core part of our
repository release scripts.
Additionally, the dbscripts will now check each package before allowing
it to be uploaded, to ensure that all installed packages in the
.BUILDINFO are actually available. If a package is not available then
the update will be rejected.
For more details, see
https://git.archlinux.org/dbscripts.git/commit/?id=f11a038c43270a70eafdba34ff33e134b6726a04
Of course, none of this guarantees that a package can be reproducibly
built. However, it does ensure that we know exactly what input went into
building the package, and paves the way for tools which utilize these
dependent packages to test a package for reproducibility.
Happy packaging! :)
--
Eli Schwartz
Bug Wrangler and Trusted User
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1601 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20190113/855a64a6/attachment.asc>
More information about the arch-dev-public
mailing list