[pacman-dev] [RFC PATCH] makepkg: extend the .BUILDINFO for enhanced reproducible support

Santiago Torres santiago at nyu.edu
Wed Jul 18 23:25:59 UTC 2018

> Then you need to include all relevant environmental variables too.  And
> given we don't know which are relevant, we need to include all.  

I'd assume that the variables defined on the makepkg.conf should be the
only relevant ones, otherwise the package is not reproducible ;)

On the other hand, I do see a point in claiming that /etc/makepkg.conf
is part of the toolchain, and as such it should be used to bootstrap a
reproducible env.

However, I do think that the intent of the buildinfo are well documented
in their docs[1](emphasis mine):

    Absolutely necessary “human intent”

        embedded certificates if needed (rpm + tor windows)
        source pkg. version
        source pkg hash (contents)
        source package name
        architecture (target) (GNU host)
        build instruction (deb-implicit)
        __USE flags (gentoo). debian: build profile. build time configuration**__
        build-depends. Abstract description of some tool that (fully) defines
        Build-Depends. Source Name/version
        Build-depends. Source packages’ HASH!!! 

I can see how Eli's patch can help beyond achieving the devtools
environment and simplify any overlay tooling around it.

> Which had privacy implications.

If you mean recording *all* the variables then I agree, but I don't
think anyone is proposing this.

> Assumptions need to be made for reproducibilty.

Likewise, but I believe that assumptions can be discussed to reach a
consensus on what these assumptions should be.


[1] https://reproducible-builds.org/events/athens2015/buildinfo-content/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20180718/5f2a0082/attachment-0001.asc>

More information about the pacman-dev mailing list