-
-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make the whole qubes-builder deterministic #816
Comments
Comment by joanna on 11 Apr 2014 09:11 UTC A great task for somebody from the community! :) |
Comment by marmarek on 17 Apr 2014 00:05 UTC |
Modified by joanna on 20 Apr 2014 17:12 UTC |
Comment by axon on 11 Aug 2014 09:05 UTC |
Useful link for Fedora work on reproducible builds: |
Since this is actually a separate issue, I've created #2535. |
This replace custom code based on debootstrap and apt-get. The major gain here is much smaller build environment (only declared dependencies are installed), and also sharing tools with the upstream. Also it simplifies the builder a lot. The downside is slower operation (pbuilder re-install all the build dependencies each time). This work was done collectively with @HW42, during Reproducible Builds Summit. QubesOS/qubes-issues#816
Makefile syntax is horrible for this kind of things... QubesOS/qubes-issues#816
Make source tarball clean, without build outputs. QubesOS/qubes-issues#816
This replace custom code based on debootstrap and apt-get. The major gain here is much smaller build environment (only declared dependencies are installed), and also sharing tools with the upstream. Also it simplifies the builder a lot. The downside is slower operation (pbuilder re-install all the build dependencies each time). This work was done collectively with @HW42, during Reproducible Builds Summit. QubesOS/qubes-issues#816
It's required for key handling if pbuilder is run on Ubuntu (including Travis CI). QubesOS/qubes-issues#816
We install newer pbuilder, which is in new package format (the one having contri.tar.xz, instead of control.tar.gz). QubesOS/qubes-issues#816
This replace custom code based on debootstrap and apt-get. The major gain here is much smaller build environment (only declared dependencies are installed), and also sharing tools with the upstream. Also it simplifies the builder a lot. The downside is slower operation (pbuilder re-install all the build dependencies each time). This work was done collectively with @HW42, during Reproducible Builds Summit. QubesOS/qubes-issues#816
This replace custom code based on debootstrap and apt-get. The major gain here is much smaller build environment (only declared dependencies are installed), and also sharing tools with the upstream. Also it simplifies the builder a lot. The downside is slower operation (pbuilder re-install all the build dependencies each time). This work was done collectively with @HW42, during Reproducible Builds Summit. QubesOS/qubes-issues#816
This replace custom code based on debootstrap and apt-get. The major gain here is much smaller build environment (only declared dependencies are installed), and also sharing tools with the upstream. Also it simplifies the builder a lot. The downside is slower operation (pbuilder re-install all the build dependencies each time). This work was done collectively with @HW42, during Reproducible Builds Summit. QubesOS/qubes-issues#816
A preliminary method for distributing buildinfo files. QubesOS/qubes-issues#816
If repository configuration is created by builder-debian plugin (not the case for official repositories), include buildinfo files too. Useful for reproducing packages. QubesOS/qubes-issues#816
Call rpmbuildinfo script in the build environment to collect relevant information. QubesOS/qubes-issues#816
Since RPM packages are signed, include also signed checksums. This should ease matching buildinfo files to specific binary packages to verify. Note it isn't possible to reproduce the signature without access to private key, so for actual verification one needs to strip the signature anyway. Once buildinfo contains final hashes, sign the buildinfo file itself. QubesOS/qubes-issues#816
Call rpmbuildinfo script in the build environment to collect relevant information. QubesOS/qubes-issues#816
Since RPM packages are signed, include also signed checksums. This should ease matching buildinfo files to specific binary packages to verify. Note it isn't possible to reproduce the signature without access to private key, so for actual verification one needs to strip the signature anyway. Once buildinfo contains final hashes, sign the buildinfo file itself. QubesOS/qubes-issues#816
Call rpmbuildinfo script in the build environment to collect relevant information. QubesOS/qubes-issues#816
Since RPM packages are signed, include also signed checksums. This should ease matching buildinfo files to specific binary packages to verify. Note it isn't possible to reproduce the signature without access to private key, so for actual verification one needs to strip the signature anyway. Once buildinfo contains final hashes, sign the buildinfo file itself. QubesOS/qubes-issues#816
This replace custom code based on debootstrap and apt-get. The major gain here is much smaller build environment (only declared dependencies are installed), and also sharing tools with the upstream. Also it simplifies the builder a lot. The downside is slower operation (pbuilder re-install all the build dependencies each time). This work was done collectively with @HW42, during Reproducible Builds Summit. QubesOS/qubes-issues#816
Status:
Besides packages itself, some tooling is missing to reproduce environment (frozen set of dependencies). We do have buildinfo files, but not an automated way to prepare build environment based on it. cc @iprid23 |
@marmarek what is the current status of reproducible builds? Is the Qubes install iso deterministically reproducible? |
No, it isn't. Not much changed from the comment above, but we do have scheduled some work on this later this year. |
What is the current status of reproducible builds for the Qubes install iso? |
Reported by joanna on 11 Apr 2014 09:09 UTC
... to allow easy, independent comparison of rpms/ISOs build from the same sources on different machines and by different people.
In the future: allow rpm/iso signatures by ""M out of N" signers.
Migrated-From: https://wiki.qubes-os.org/ticket/816
The text was updated successfully, but these errors were encountered: