For openSUSE Reproducible Builds we are trying to identify packages that produce different binaries when building on different hosts or times. And then we remove the sources of those diffs.
- https://reproducible-builds.org/ collects information around reproducible builds
- https://reproducible-builds.org/docs/buy-in/ lists why reproducible builds are useful.
- https://github.com/bmwiedemann/reproducibleopensuse scripts to help us find issues with openSUSE OBS packages
- https://rb.zq1.de/compare.factory/ diffs of unreproducible packages (is a symlink pointing to the latest results dir)
- https://github.com/bmwiedemann/theunreproduciblepackage examples and explanations of sources of indeterminism
- master trackerbug
- https://events.opensuse.org/conference/oSC16/program/proposal/838 openSUSE conference talk from 2016
- https://events.opensuse.org/conference/oSC17/program/proposal/1236 openSUSE conference talk from 2017
- https://www.suse.com/c/extending-trust-in-our-binaries-no-backdoors-have-been-found/ blog post from 2018-08
If you want to help, contact Bernhard M. Wiedemann <reproducibleopensuse zq1.de>
If you want OBS to produce verifyable bit-identical binaries for you, you need to have in your project's prjconf
Macros: %source_date_epoch_from_changelog Y %clamp_mtime_to_source_date_epoch Y %use_source_date_epoch_as_buildtime Y %_buildhost reproducible :Macros
You can also edit it in a shell with
osc meta -e prjconf $PROJECT
The first macro is already default-on in Tumbleweed and Leap-15.0.
The other macros will normalize build times and hostname values. So if you want to find out when and where a package was actually built, you need to look at the signature date and use
When you just enabled these macros, packages will remain as they are. After the next source change or
osc wipebinaries --repo=openSUSE_Tumbleweed --all $PROJECT
newly built binaries will be created and published. Just 'rebuild' is not enough, because build-compare will notice that it is similar to the old packages and discard the new build result.
Packages from OBS will only be bit-identical to your local builds after processing them with
rpm --delsign $RPMPACKAGE
You can do a local build and compare it to the OBS build result by calling the nachbau script in a checkout dir. See the repo's README.md for setup instructions.