[arch-dev-public] Reproducible builds progress report #2 and package rebuilders

Morten Linderud foxboron at archlinux.org
Tue May 5 17:59:48 UTC 2020 

Yo!

Most should be familiar with the reproducible builds efforts going on in Arch
Linux. The goal is to figure out how to make our packages reproducible, which
can let users verify that our packages are a product of the PKGBUILD we upload
and the source we claim it uses [1].

Last status update was in November [2]! Allan wrote about our attempts at
manually reproducing core packages to find mistakes in them. This went fairly
well and we managed to reproduce a great deal of packages [3].

The progress since then has been great. Jelle went to Marrakesh for the annual
Reproducible Builds summit [4]. Improvements to the tooling have also been made.
Most notably kpcyrd has written rebuilderd which was announced on the
reproducible builds mailing list last week [5].

rebuilderd aims to be a general package rebuilder, supporting multiple distros
with Arch being the first supported one. Rebuilderd allows anyone to easily
create package rebuilders to reproduce distributed packages [6]. It currently
utilizes `repro` for the reproduction itself [7].

As of writing this we have managed to reproduce 86%-90% of the `[core]`
repository across 2-3 rebuilders!

One of the rebuilders currently running is our own rebuilder [8]!

The current setup runs with 3 worker boxes:
    * repro1.pkgbuild.com - Arch
    * repro2.pkgbuild.com - Arch
    * repro3.pkgbuild.com - Debian 10

One can also find a list of rebuilders currently running on the wiki [9].

A usecase for these rebuilders is to check the packages on your system is
currently verified with one or more rebuilders. kpcyrd wrote ismyarchverifiedyet
to check this [10].

It should be noted that everything is very much a work in progress. Just because
a package is listed as bad doesn't mean it's unreproducible. It might be tooling
bugs or other issues. However, if you want to take a look at it you can do so
with `repro`, or `makerepropkg` in devtools[11].


Cheers from the Reproducible Builds Team!


Sources:
[1]: https://reproducible-builds.org/
[2]: https://lists.archlinux.org/pipermail/arch-dev-public/2019-November/029721.html
[3]: https://wiki.archlinux.org/index.php/DeveloperWiki:ReproduciblePackages
[4]: https://reproducible-builds.org/events/Marrakesh2019/
[5]: https://lists.reproducible-builds.org/pipermail/rb-general/2020-April/001905.html
[6]: https://github.com/kpcyrd/rebuilderd
[7]: https://github.com/archlinux/archlinux-repro
[8]: https://reproducible.archlinux.org/
[9]: https://wiki.archlinux.org/index.php/Package_rebuilders
[10]: https://github.com/kpcyrd/ismyarchverifiedyet
[11]: https://git.archlinux.org/devtools.git/tree/makerepropkg.in

-- 
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20200505/8f58b815/attachment.sig>

More information about the arch-dev-public mailing list