openSUSE:Reproducible Builds

Jump to: navigation, search

For openSUSE Reproducible Builds we are trying to identify packages that produce different binaries when building on different hosts or times. And then we remove the sources of those diffs.

https://reproducible-builds.org/ has general information. It also explains why this is useful.

We are tracking work to do for reproducible builds in openSUSE as blockers of a tracking bug in the Bugzilla.

If you want to help, contact Bernhard M. Wiedemann <reproducibleopensuse zq1.de>

Besides the distribution independent places to discuss reproducible builds there is a openSUSE specific reproducible builds Matrix room.

With OBS

The project openSUSE:Factory was switched to be reproducible by default on 2024-03-11. If you use something that is not based on it then you need additional configuration explained in the next section.

Packages from OBS will only be bit-identical to your local builds after processing them with

rpm --delsign $RPMPACKAGE

Additional configuration for other distributions

If you want OBS to produce verifiable bit-identical binaries for you, you need to have in your project's prjconf

Macros:
%source_date_epoch_from_changelog Y
%clamp_mtime_to_source_date_epoch Y
%use_source_date_epoch_as_buildtime Y
%_buildhost reproducible
:Macros

You can also edit it in a shell with

osc meta -e prjconf $PROJECT

The first macro is already default-on in Tumbleweed and Leap-15.0, Leap 15.1, and Leap 15.2. The other macros will normalize build times and hostname values. So if you want to find out when and where a package was actually built, you need to look at the signature date and use osc jobhistory.

When you just enabled these macros, packages will remain as they are. After the next source change or

osc wipebinaries --repo=openSUSE_Tumbleweed --all $PROJECT

newly built binaries will be created and published. Just 'rebuild' is not enough, because build-compare will notice that it is similar to the old packages and discard the new build result.

Verifying

You can do a local build and compare it to the OBS build result by calling the nachbau script in a checkout dir. See the repo's README.md for setup instructions.

Manually verifying

Here is a step by step explanation how to manually reproduce a package with osc build.

Debugging

See the guide on how to find, debug and fix reproducibility issues in openSUSE OBS packages

Status

The openSUSE r-b CI graph has package counts.

Status reports of reproducible builds in openSUSE can be found on the openSUSE Factory mailinglist.


Further Resources