Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Publish .buildinfo files somewhere #6356

Open
Tracked by #6310
legoktm opened this issue Mar 23, 2022 · 3 comments
Open
Tracked by #6310

Publish .buildinfo files somewhere #6356

legoktm opened this issue Mar 23, 2022 · 3 comments
Assignees
@legoktm

Comments

@legoktm
Copy link
Member

legoktm commented Mar 23, 2022
edited
Loading

Building Debian packages generates a .buildinfo file (see spec: https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles). These files document what the build environment was at the time of building, so that if someone wanted to reproduce the build, they'd know exactly what packages they needed. Tools like debrebuild use buildinfo files to verify that packages are actually reproducible.

Debian currently has a proof-of-concept buildinfo server (https://buildinfo.debian.net/) but no official API, so we can really do whatever we want here.

My proposal is to create a new public Git repository, freedomofpress/buildinfo (or if that's too generic, freedomofpress/debian-buildinfo) that just contains these as an archive for now. Similar to the build-logs repository, maintainers will copy and commit any *.buildinfo files to this repo. CI that builds nightlies will also copy these over. We can split them into directories by month (2022-03/foo.buildinfo) to avoid one directory from being super giant. The idea would be that we always just keep adding to this, old buildinfo metadata would never be purged from it.

Anyone who wants to try rebuilding our packages can either clone the Git repo or download individual files via the GitHub web interface. And if one day a standardized API exists for serving buildinfo files, we can set that up on top of the Git repo, or import everything in the Git repo into that and archive the repo.
@legoktm legoktm mentioned this issue Mar 23, 2022
Open
10 tasks
@legoktm legoktm changed the title Publish .buildinfo files (see spec: https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles) Publish .buildinfo files somewhere Mar 23, 2022
@legoktm legoktm mentioned this issue Dec 9, 2022
Closed
@legoktm legoktm mentioned this issue Feb 22, 2023
Merged
13 tasks
@legoktm
Copy link
Member Author

legoktm commented Feb 22, 2023

Kev suggested just putting these in the existing build-logs repo, I think that's probably fine.

legoktm added a commit to freedomofpress/securedrop-dev-docs that referenced this issue Mar 10, 2023
@legoktm
Consolidate documention on build logs, document .buildinfo files
1b597d6 
Create a new "Build metadata" page that consolidates documentation from
<https://github.com/freedomofpress/securedrop/wiki/Build-logs> and parts
of the release management guides.

We are also going to start requiring the publishing of `.buildinfo`
files (see freedomofpress/securedrop#6754), so
document how they work and where they should be published.

Refs <freedomofpress/securedrop#6356>.
@legoktm legoktm mentioned this issue Mar 10, 2023
Merged
3 tasks
legoktm added a commit to freedomofpress/securedrop-builder that referenced this issue Mar 10, 2023
@legoktm
Publish buildinfo files to build-logs repository
b0fe34b 
To theoretically try independently reproducing these builds, just like
we want to for release builds.

Refs <freedomofpress/securedrop#6356>.
@legoktm legoktm mentioned this issue Mar 10, 2023
Merged
@legoktm legoktm self-assigned this Mar 10, 2023
legoktm added a commit to freedomofpress/securedrop-builder that referenced this issue Mar 10, 2023
@legoktm
Publish buildinfo files to build-logs repository
4132a8e 
To theoretically try independently reproducing these builds, just like
we want to for release builds.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-builder that referenced this issue Mar 10, 2023
@legoktm
Publish buildinfo files to build-logs repository
23a6a72 
To theoretically try independently reproducing these builds, just like
we want to for release builds.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-builder that referenced this issue Mar 10, 2023
@legoktm
Publish buildinfo files to build-logs repository
90b3b3e 
To theoretically try independently reproducing these builds, just like
we want to for release builds. This also provides the checksum of
packages in a machine-readable format.

We push to build-logs before apt-test to allow eventual CI in apt-test
to verify that packages in that repository match the published buildinfo.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-builder that referenced this issue Mar 10, 2023
@legoktm
Add script to check newly added packages against buildinfo files
11b60c8 
buildinfo files contain package checksums in a machine-readable
format, so script checking newly added packages against those.

This will be added to CI for securedrop-apt-test and securedrop-apt-prod.

The main iffy part of this is how it compares against "origin/main",
but I think for PRs it'll mostly do the right thing. We only check new
packages because old ones don't have buildinfo published. Maybe once
we no longer have any legacy cases left, we just check everything in
the repository.

Likely there are more checks that could be added, but this is a start.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-builder that referenced this issue Mar 10, 2023
@legoktm
Add script to check newly added packages against buildinfo files
0158726 
buildinfo files contain package checksums in a machine-readable
format, so script checking newly added packages against those.

This will be added to CI for securedrop-apt-test and securedrop-apt-prod.

The main iffy part of this is how it compares against "origin/main",
but I think for PRs it'll mostly do the right thing. We only check new
packages because old ones don't have buildinfo published. Maybe once
we no longer have any legacy cases left, we just check everything in
the repository.

Likely there are more checks that could be added, but this is a start.

Refs <freedomofpress/securedrop#6356>.
@legoktm legoktm mentioned this issue Mar 10, 2023
Merged
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Mar 10, 2023
@legoktm
WIP: Have CI verify new packages match buildinfo files
c837535 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
@legoktm legoktm mentioned this issue Mar 10, 2023
Merged
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Mar 10, 2023
@legoktm
WIP: Have CI verify new packages match buildinfo files
73c6bc7 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Mar 10, 2023
@legoktm
WIP: Have CI verify new packages match buildinfo files
7301b4a 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Mar 11, 2023
@legoktm
WIP: Have CI verify new packages match buildinfo files
9b992a3 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Mar 11, 2023
@legoktm
WIP: Have CI verify new packages match buildinfo files
3054708 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Mar 11, 2023
@legoktm
WIP: Have CI verify new packages match buildinfo files
536743f 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Mar 11, 2023
@legoktm
WIP: Have CI verify new packages match buildinfo files
a1a198e 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-builder that referenced this issue Mar 11, 2023
@legoktm
Add script to check newly added packages against buildinfo files
5cd511f 
buildinfo files contain package checksums in a machine-readable
format, so script checking newly added packages against those.

This will be added to CI for securedrop-apt-test and securedrop-apt-prod.

The main iffy part of this is how it compares against "origin/main",
but I think for PRs it'll mostly do the right thing. We only check new
packages because old ones don't have buildinfo published. Maybe once
we no longer have any legacy cases left, we just check everything in
the repository.

Likely there are more checks that could be added, but this is a start.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Mar 11, 2023
@legoktm
WIP: Have CI verify new packages match buildinfo files
5800875 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-builder that referenced this issue Mar 11, 2023
@legoktm
Add script to check newly added packages against buildinfo files
e1999d0 
buildinfo files contain package checksums in a machine-readable
format, so script checking newly added packages against those.

This will be added to CI for securedrop-apt-test and securedrop-apt-prod.

The main iffy part of this is how it compares against "origin/main",
but I think for PRs it'll mostly do the right thing. We only check new
packages because old ones don't have buildinfo published. Maybe once
we no longer have any legacy cases left, we just check everything in
the repository.

Likely there are more checks that could be added, but this is a start.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Mar 11, 2023
@legoktm
WIP: Have CI verify new packages match buildinfo files
501e7ff 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
@legoktm
Copy link
Member Author

legoktm commented Mar 11, 2023

Overview of the ongoing buildinfo work:

@legoktm
Copy link
Member Author

legoktm commented Mar 15, 2023

One thing that was raised during team discussion is whether we could embed other metadata in buildinfo files, like a git version or something. At the time I had suggested that we could stick it in the environment and then it'll get picked up and exported into the Environment section. After reading the dpkg code, it has a hardcoded set of environment variables to check.

I think we can still get away with a simple cat " SD_GIT_VERSION=\"foo\"" >> foo.buildinfo though.

@legoktm legoktm mentioned this issue Mar 24, 2023
Draft
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Apr 3, 2023
@legoktm
Have CI verify new packages match buildinfo files
859cc2d 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script was added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Apr 3, 2023
@legoktm
Have CI verify new packages match buildinfo files
b16449b 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script was added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
legoktm added a commit to freedomofpress/securedrop-apt-test that referenced this issue Apr 3, 2023
@legoktm
Have CI verify new packages match buildinfo files
7ab49bd 
CI verifies that newly added packages had a buildinfo file
pushed to the build-logs repository and the package checksum
matches that.

The check-buildinfo script was added in <freedomofpress/securedrop-builder#423>.

Refs <freedomofpress/securedrop#6356>.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@legoktm legoktm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@legoktm