Re: Participation of Arch in Google Summer of Code.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 2/19/19 11:26 AM, Tinu Weber wrote:
> On Tue, Feb 19, 2019 at 10:22:34 -0500, Eli Schwartz via arch-general wrote:
>> On 2/19/19 10:19 AM, Tinu Weber wrote:
>>> On Tue, Feb 19, 2019 at 14:10:34 +0100, Robin Broda via arch-general wrote:
>>>> remakepkg invalidates .BUILDINFO and breaks reproducible builds as far as i can tell.
>>>
>>> The semantics of .BUILDINFO in the context of remakepkg were unclear to
>>> me, so I chose to simply ignore it. Reproducible builds were not taken
>>> into account, so it's indeed very likely that it breaks that.
>>>
>>> In the end, remakepkg is a hack. But the underlying concept itself is
>>> already a hack, so I'm not feeling too bad, to be honest :-)
>>>
>>> (that being said, I'm obviously open for discussing suggestions)
>>
>> I see no problem and nothing to fix here. reproducible rebuilding a
>> .pkg.tar.xz created by remakepkg, which has as its whole purpose,
>> surgery upon a package, seems fundamentally unreproducible to me,
>> moreover why would you want to reproduce it -- a reproducible rebuild of
>> remakepkg packages should have as its only input, the original .pkg.tar.xz
> 
> I was thinking more of: "If I run remakepkg twice on the same package,
> with the same rules, do I get the same output package?".
> 
> I just checked, and I do indeed modify the timestamp of a file when
> patching it (both the file itself and its MTREE entry), and I don't
> respect SOURCE_DATE_EPOCH, so I would conclude that remakepkg does not
> produce reproducible .pkg.tar.xz files.

That's a fair point. If you wanted to have remakepkg be a program that
supported reproducible builds, it would need to respect some form of
SOURCE_DATE_EPOCH -- I suggest using the builddate that the original
.pkg.tar.xz used.

As well, provide some mechanism for
https://reproducible-builds.org/docs/recording/ the input (the
.pkg.tar.xz and the deviations that have been declared).

The difference is that it is hardly an issue if remakepkg invalidates
the makepkg .BUILDINFO spec, since remakepkg is not makepkg and isn't
expected to produce the same output as makepkg anyway -- it is only
meant to produce output that *pacman/libalpm* can consume.

-- 
Eli Schwartz
Bug Wrangler and Trusted User

Attachment: signature.asc
Description: OpenPGP digital signature


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux