[pacman-dev] [RFC PATCH] makepkg: extend the .BUILDINFO for enhanced reproducible support

Eli Schwartz eschwartz at archlinux.org
Wed Jul 18 23:51:08 UTC 2018


On 07/18/2018 06:26 PM, Allan McRae wrote:
> Then you need to include all relevant environmental variables too.  And
> given we don't know which are relevant, we need to include all.  Which
> had privacy implications.
> 
> Assumptions need to be made for reproducibilty.  I'm happy with the
> package being built in a clean chroot as that assumption.

I'm okay with makepkg only recording the information it is personally
responsible for setting in the first place. :)

That's what my patch does. If people are creating packages in such a way
that the environment outside of makepkg affects the result, then there's
really nothing that can handle that -- a thousand different tools have a
thousand different boutique configuration files, for example.

As long as both packages are built in, and record, some sort of
environment where any input to the build process comes exclusively from:
- the list of packages installed on the system
- the PKGBUILD
- makepkg.conf
- the public API documented in makepkg(1) -- essentially, BUILDDIR and
  PKGEXT

I will be happy, since makepkg has "done its duty" as far as
reproducibility goes.

The best way to ensure this is to build packages using a clean user
account, but I don't think devtools should be implied, nor should
makepkg itself consider reproducible build support to be conditional on
devtools/makechrootpkg.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20180718/bc479fe9/attachment.asc>


More information about the pacman-dev mailing list