openSUSE:Reproducible Builds

For openSUSE Reproducible Builds we are trying to identify packages that produce different binaries when building on different hosts or times. And then we remove the sources of those diffs.

Resources

• https://reproducible-builds.org/ collects information around reproducible builds
• https://reproducible-builds.org/docs/buy-in/ lists why reproducible builds are useful.
• https://github.com/bmwiedemann/reproducibleopensuse scripts to help us find issues with openSUSE OBS packages
• https://rb.zq1.de/compare.factory/ diffs of unreproducible packages (is a symlink pointing to the latest results dir)
• https://github.com/bmwiedemann/theunreproduciblepackage examples and explanations of sources of indeterminism
• master trackerbug
• https://lists.reproducible-builds.org/pipermail/rb-general/2018-December/001301.html summary of rpm/OBS/osc/obs-build/build-compare r-b work
• https://events.opensuse.org/conference/oSC16/program/proposal/838 openSUSE conference talk from 2016
• https://events.opensuse.org/conference/oSC17/program/proposal/1236 openSUSE conference talk from 2017
• https://www.suse.com/c/extending-trust-in-our-binaries-no-backdoors-have-been-found/ blog post from 2018-08

If you want to help, contact Bernhard M. Wiedemann <reproducibleopensuse zq1.de>

With OBS

If you want OBS to produce verifyable bit-identical binaries for you, you need to have in your project's prjconf

Macros:
%source_date_epoch_from_changelog Y
%clamp_mtime_to_source_date_epoch Y
%use_source_date_epoch_as_buildtime Y
%_buildhost reproducible
:Macros

You can also edit it in a shell with

osc meta -e prjconf $PROJECT

The first macro is already default-on in Tumbleweed and Leap-15.0. The other macros will normalize build times and hostname values. So if you want to find out when and where a package was actually built, you need to look at the signature date and use osc jobhistory.

When you just enabled these macros, packages will remain as they are. After the next source change or

osc wipebinaries --repo=openSUSE_Tumbleweed --all $PROJECT

newly built binaries will be created and published. Just 'rebuild' is not enough, because build-compare will notice that it is similar to the old packages and discard the new build result.

Packages from OBS will only be bit-identical to your local builds after processing them with

rpm --delsign $RPMPACKAGE

Verifying

You can do a local build and compare it to the OBS build result by calling the nachbau script in a checkout dir. See the repo's README.md for setup instructions.