[arch-dev-public] Reproducible builds progress and the upcoming rebuild of [core]
allan at archlinux.org
Wed Nov 13 02:46:03 UTC 2019
As you may know, we have had people busy looking at what it takes to
make our packages reproducible.
There has been a lot of progress there lately. Our reproducible builds
team (along with the wider reproducible builds community) has been
building our packages in different environments to test how stable the
builds are . The good news is that >80% of our packages could be
built twice in varying environments and give the exact same result.
However, that is only part of the picture. Ideally, we want people to
be able to take one of our packages and rebuild it exactly. With the
release of pacman-5.2, packages record a lot more information about
their build environment. That means we can reconstruct a package's
build chroot, and then rebuild it. There are two tools in the works to
do this. One by Morton (Foxboron)  and one by Eli . Note that
both tools need more testing to be ready for a wider release and
currently require some manual editing to run.
The good news is, we have at least 10 packages that can be precisely
reproduced using both these tools ! This means you can take one of
these tools and rebuild a package from the repos, and get the exact same
package out of it. This is an amazing effort - well done to the team!
To keep this momentum going, it would be great to rebuild every package
in [core] using makepkg from pacman-5.2+. That way we can test which
packages are actually reproducible and work towards fixing those that
are not. So be prepared for almost the entire repo to hit [testing]
soon, and get your sign-off shoes on!
Again, a huge congrats to our reproducible builds team. This has been a
massive amount of work!
More information about the arch-dev-public