Bookmarks

Feeds

First reproducible builds conference in Athens


December 14, 2015 posted by Thomas Klausner

Last week I met with about 40 other developers from various projects (mostly Debian, but also Arch Linux, FreeBSD, Guix, Homebrew, MacPorts, Tor and some others) in Athens for a three day conference about reproducible builds, i.e. the task of getting the same binaries from the same source on a particular platform.

The advantages are better verifyability that the source code matches the binaries, thus addressing one of the many steps one has to check before trusting the software one runs.

We discussed various topics during the conference in small groups:

  • technical aspects (how to achieve this, how to cooperate over distributions, ...)
  • social aspects (how to argue for it with programmers, managers, lay people) financial aspects (how to get funding for such work)
  • lots of other stuff :)
For NetBSD, there are two parts:

Making the base system reproducible: a big part of the work for this has already been done, but there a number of open issues, visible e.g. in Debian's regularly scheduled test builds, up to the fact that this is not the default yet.

Making pkgsrc reproducible: This will be a huge task, since pkgsrc targets so many and diverse platforms. On the other hand, we have a very good framework below that that should help.

For giggles, I've compared the binary packages for png built on 7.99.22 and 7.99.23 (in my chrooted pbulk only though) and found that most differences were indeed only timestamps. So there's probably a lot of low-hanging fruit in this area as well.

If you want to help, here are some ideas:

  • fix the MKREPRO bugs (like PRs 48355, 48637, 48638, 50119, 50120, 50122)
  • check https://reproducible.debian.net/netbsd/netbsd.html for more issues, or do your own tests
  • discuss turning on MKREPRO by default
  • starting working on reproducibility in pkgsrc:
    • remove gzip time stamps from binary packages
    • use a fixed time stamp for files inside binary packages (perhaps depending on newest file in sources, or latest change in pkgsrc files for the pkg)
    • identify more of the issues, like how to get symbols ordered reproducible in binaries (look at shells/bash)
Thanks to the NetBSD developers who already worked on this before, and to TNF for funding the travel and the Linux Foundation for funding the accomodation for my participation in the conference, and Holger Levsen for inviting me. [0 comments]

 

« End of life for... | Main | In Memoriam: Ian... »


Post a Comment:
Comments are closed for this entry.