openSUSE:Reproducible Builds

Jump to: navigation, search

For openSUSE Reproducible Builds we are trying to identify packages that produce different binaries when building on different hosts or times. And then we remove the sources of those diffs.

Resources

If you want to help, contact Bernhard M. Wiedemann <reproducibleopensuse zq1.de>

With OBS

If you want OBS to produce verifyable bit-identical binaries for you, you need to have in your project's prjconf

Macros:
%source_date_epoch_from_changelog Y
%clamp_mtime_to_source_date_epoch Y
%use_source_date_epoch_as_buildtime Y
%_buildhost reproducible
:Macros

You can also edit it in a shell with

osc meta -e prjconf $PROJECT

The first macro is already default-on in Tumbleweed and Leap-15.0. The other macros will normalize build times and hostname values. So if you want to find out when and where a package was actually built, you need to look at the signature date and use osc jobhistory.

When you just enabled these macros, packages will remain as they are. After the next source change or

osc wipebinaries --repo=openSUSE_Tumbleweed --all $PROJECT

newly built binaries will be created and published. Just 'rebuild' is not enough, because build-compare will notice that it is similar to the old packages and discard the new build result.

Packages from OBS will only be bit-identical to your local builds after processing them with

rpm --delsign $RPMPACKAGE

Verifying

You can do a local build and compare it to the OBS build result by calling the nachbau script in a checkout dir. See the repo's README.md for setup instructions.