orb: check opam package reproducibility

This tool can check if an opam package build is reproductible (cf. https://reproducible-builds.org). It has two subcommands: build and rebuild.

The orb build conducts a build of an opam package, and collects the build result (and hashes thereof) and the build input (or build info), consisting of:

• build-environment (the environment variables plus OS/OS_DISTRIBUTION/OS_FAMILY/OS_VERSION/ORB_VERSION)
• system-packages (the installed packages on the system)
• opam-switch (opam switch export --full --freeze - a textual representation containing all installed opam packages)
• *.build-hashes with maps of installed files to their hashes

The orb rebuild takes this data as input and conducts a second build with the same environment, and compares that the hashes of the produced binaries are identical.

The orb build also has a command-line flag "--twice" to conduct a build and a rebuild directly afterwards. For debugging reproducibility, the "--keep-build-dir" option is provided that allows to compare intermediate build products as well.

Please have a look at "--out", "--switch-name", "--solver-timeout", "--date", and other command line parameters.

It is currently used as a payload of builder-worker to run the reproducible MirageOS unikernels infrastructure.

Binary packages for different platforms (Debian, Ubuntu, FreeBSD) are available at https://builds.robur.coop

Install & use

$ opam pin git+https://github.com/roburio/orb#next
$ orb build --twice --repos=default:https://opam.ocaml.org cmdliner

Simple (and fast) failing and successful reproducible opam packages are in the reproducible-testing-repo.