-
Notifications
You must be signed in to change notification settings - Fork 685
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Publish .buildinfo
files somewhere
#6356
Comments
.buildinfo
files (see spec: https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles).buildinfo
files somewhere
Kev suggested just putting these in the existing build-logs repo, I think that's probably fine. |
Create a new "Build metadata" page that consolidates documentation from <https://github.com/freedomofpress/securedrop/wiki/Build-logs> and parts of the release management guides. We are also going to start requiring the publishing of `.buildinfo` files (see freedomofpress/securedrop#6754), so document how they work and where they should be published. Refs <freedomofpress/securedrop#6356>.
To theoretically try independently reproducing these builds, just like we want to for release builds. Refs <freedomofpress/securedrop#6356>.
To theoretically try independently reproducing these builds, just like we want to for release builds. Refs <freedomofpress/securedrop#6356>.
To theoretically try independently reproducing these builds, just like we want to for release builds. Refs <freedomofpress/securedrop#6356>.
To theoretically try independently reproducing these builds, just like we want to for release builds. This also provides the checksum of packages in a machine-readable format. We push to build-logs before apt-test to allow eventual CI in apt-test to verify that packages in that repository match the published buildinfo. Refs <freedomofpress/securedrop#6356>.
buildinfo files contain package checksums in a machine-readable format, so script checking newly added packages against those. This will be added to CI for securedrop-apt-test and securedrop-apt-prod. The main iffy part of this is how it compares against "origin/main", but I think for PRs it'll mostly do the right thing. We only check new packages because old ones don't have buildinfo published. Maybe once we no longer have any legacy cases left, we just check everything in the repository. Likely there are more checks that could be added, but this is a start. Refs <freedomofpress/securedrop#6356>.
buildinfo files contain package checksums in a machine-readable format, so script checking newly added packages against those. This will be added to CI for securedrop-apt-test and securedrop-apt-prod. The main iffy part of this is how it compares against "origin/main", but I think for PRs it'll mostly do the right thing. We only check new packages because old ones don't have buildinfo published. Maybe once we no longer have any legacy cases left, we just check everything in the repository. Likely there are more checks that could be added, but this is a start. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
buildinfo files contain package checksums in a machine-readable format, so script checking newly added packages against those. This will be added to CI for securedrop-apt-test and securedrop-apt-prod. The main iffy part of this is how it compares against "origin/main", but I think for PRs it'll mostly do the right thing. We only check new packages because old ones don't have buildinfo published. Maybe once we no longer have any legacy cases left, we just check everything in the repository. Likely there are more checks that could be added, but this is a start. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
buildinfo files contain package checksums in a machine-readable format, so script checking newly added packages against those. This will be added to CI for securedrop-apt-test and securedrop-apt-prod. The main iffy part of this is how it compares against "origin/main", but I think for PRs it'll mostly do the right thing. We only check new packages because old ones don't have buildinfo published. Maybe once we no longer have any legacy cases left, we just check everything in the repository. Likely there are more checks that could be added, but this is a start. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script is added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
Overview of the ongoing buildinfo work:
|
One thing that was raised during team discussion is whether we could embed other metadata in buildinfo files, like a git version or something. At the time I had suggested that we could stick it in the environment and then it'll get picked up and exported into the I think we can still get away with a simple |
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script was added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script was added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
CI verifies that newly added packages had a buildinfo file pushed to the build-logs repository and the package checksum matches that. The check-buildinfo script was added in <freedomofpress/securedrop-builder#423>. Refs <freedomofpress/securedrop#6356>.
Building Debian packages generates a
.buildinfo
file (see spec: https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles). These files document what the build environment was at the time of building, so that if someone wanted to reproduce the build, they'd know exactly what packages they needed. Tools like debrebuild use buildinfo files to verify that packages are actually reproducible.Debian currently has a proof-of-concept buildinfo server (https://buildinfo.debian.net/) but no official API, so we can really do whatever we want here.
My proposal is to create a new public Git repository,
freedomofpress/buildinfo
(or if that's too generic,freedomofpress/debian-buildinfo
) that just contains these as an archive for now. Similar to the build-logs repository, maintainers will copy and commit any*.buildinfo
files to this repo. CI that builds nightlies will also copy these over. We can split them into directories by month (2022-03/foo.buildinfo
) to avoid one directory from being super giant. The idea would be that we always just keep adding to this, old buildinfo metadata would never be purged from it.Anyone who wants to try rebuilding our packages can either clone the Git repo or download individual files via the GitHub web interface. And if one day a standardized API exists for serving buildinfo files, we can set that up on top of the Git repo, or import everything in the Git repo into that and archive the repo.
The text was updated successfully, but these errors were encountered: