[pacman-dev] [RFC PATCH] makepkg: extend the .BUILDINFO for enhanced reproducible support
Santiago Torres
santiago at nyu.edu
Wed Jul 18 23:25:59 UTC 2018
> Then you need to include all relevant environmental variables too. And
> given we don't know which are relevant, we need to include all.
I'd assume that the variables defined on the makepkg.conf should be the
only relevant ones, otherwise the package is not reproducible ;)
On the other hand, I do see a point in claiming that /etc/makepkg.conf
is part of the toolchain, and as such it should be used to bootstrap a
reproducible env.
However, I do think that the intent of the buildinfo are well documented
in their docs[1](emphasis mine):
Absolutely necessary “human intent”
embedded certificates if needed (rpm + tor windows)
source pkg. version
source pkg hash (contents)
source package name
architecture (target) (GNU host)
build instruction (deb-implicit)
__USE flags (gentoo). debian: build profile. build time configuration**__
build-depends. Abstract description of some tool that (fully) defines
Build-Depends. Source Name/version
Build-depends. Source packages’ HASH!!!
I can see how Eli's patch can help beyond achieving the devtools
environment and simplify any overlay tooling around it.
> Which had privacy implications.
If you mean recording *all* the variables then I agree, but I don't
think anyone is proposing this.
> Assumptions need to be made for reproducibilty.
Likewise, but I believe that assumptions can be discussed to reach a
consensus on what these assumptions should be.
Thanks,
-Santiago.
[1] https://reproducible-builds.org/events/athens2015/buildinfo-content/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20180718/5f2a0082/attachment-0001.asc>
More information about the pacman-dev
mailing list