Project Title: Reproducible openSUSE builds
Description: The Reproducible Builds Project is working on making builds of binary packages from sources reproducible so that builds from the same sources always create the bit-wise identical results. This way users can prove that packages are built from the sources they claim to be built from without having to trust the build servers. This can be important to prevent malicious modifications of the binaries during build or to make build processes more efficient by eliminating rebuilds due to changes in builds from unchanged sources.
openSUSE has a lot of technology in this area with the build service, all the packaging infrastructure and tools such as build-compare. The goal of this project would be to make the reproducibility of builds in openSUSE visible, create metrics and tests, and fix issues to make more builds reproducible.
Deliverable: This project is a bit open in what results are expected. A minimal result would be to have tests to measure and track reproducibility of builds, a maximum result would be to have all tests green and be able to build a whole distribution such as Leap in a reproducible way. Other possible results could be a dashboard for reproducible builds in openSUSE, integration with the upstream reproducible build project, or improvements in the tools for building and comparing packages.
Mentor: The project was entered by @cornelius. Mentors are still wanted.
Skills: Building and packaging of software, RPM, familiarity with openSUSE, debugging of build problems, for visualization of tests some web development skills, scripting and shell
Skill Level: Medium to Hard
Get started: Have a look at https://reproducible-builds.org and play around with the concepts and tools there, apply them to openSUSE. We'll define more concrete starting points when the project becomes more concrete.
@cornelius @lnussel @coolo is this one still valid? If yes please open a new issue! Thanks!