openSUSE:Reproducible Builds
For openSUSE Reproducible Builds we are trying to identify packages that produce different binaries when building on different hosts or times. And then we remove the sources of those diffs.
https://reproducible-builds.org/ has general information. It also explains why this is useful.
If you want to help, contact Bernhard M. Wiedemann <reproducibleopensuse zq1.de>
Besides the distribution independent places to discuss reproducible builds there is a openSUSE specific reproducible builds Matrix room.
With OBS
The project openSUSE:Factory was switched to be reproducible by default on 2024-03-11. If you use something that is not based on it then you need additional configuration explained in the next section.
Packages from OBS will only be bit-identical to your local builds after processing them with
rpm --delsign $RPMPACKAGE
Additional configuration for other distributions
If you want OBS to produce verifiable bit-identical binaries for you, you need to have in your project's prjconf
Macros: %source_date_epoch_from_changelog Y %clamp_mtime_to_source_date_epoch Y %use_source_date_epoch_as_buildtime Y %_buildhost reproducible :Macros
You can also edit it in a shell with
osc meta -e prjconf $PROJECT
The first macro is already default-on in Tumbleweed and Leap-15.0, Leap 15.1, and Leap 15.2.
The other macros will normalize build times and hostname values. So if you want to find out when and where a package was actually built, you need to look at the signature date and use osc jobhistory.
When you just enabled these macros, packages will remain as they are. After the next source change or
osc wipebinaries --repo=openSUSE_Tumbleweed --all $PROJECT
newly built binaries will be created and published. Just 'rebuild' is not enough, because build-compare will notice that it is similar to the old packages and discard the new build result.
Verifying
You can do a local build and compare it to the OBS build result by calling the nachbau script in a checkout dir. See the repo's README.md for setup instructions.
Manually verifying
Here is a step by step explanation how to manually reproduce a package with osc build.
Debugging
See the guide on how to find, debug and fix reproducibility issues in openSUSE OBS packages
Further Resources
- https://github.com/bmwiedemann/reproducibleopensuse scripts to help us find issues with openSUSE OBS packages
- https://rb.zq1.de/compare.factory/ diffs of unreproducible packages (is a symlink pointing to the latest results dir)
- https://github.com/bmwiedemann/theunreproduciblepackage examples and explanations of sources of indeterminism
- https://lists.reproducible-builds.org/pipermail/rb-general/2018-December/001301.html summary of rpm/OBS/osc/obs-build/build-compare r-b work
- https://events.opensuse.org/conference/oSC16/program/proposal/838 openSUSE conference talk from 2016
- https://events.opensuse.org/conference/oSC17/program/proposal/1236 openSUSE conference talk from 2017
- https://ossna2022.sched.com/event/11NpJ/reproducible-builds-unexpected-benefits-and-problems-bernhard-m-wiedemann-suse https://www.youtube.com/watch?v=RfN2eWn6c9o SupplyChainSecurityCon talk from 2022