Reproducible Builds,
the first eleven years and beyond!
Holger Levsen
DebConf24
2024-08-02, Busan, South Korea
Reproducible Builds,
Preserving other build artifacts
Holger Levsen
DebConf24
2024-08-02, Busan, South Korea
Who am I
- Holger Levsen / holger@debian.org, located in Hamburg, Germany. Born at 329 ppm. He/him. π³οΈβππ³οΈββ§οΈπ€π·
- Debian user since 1995, contributing since 2001, Debian member since 2007. I β€οΈ Debian.
- Working on Reproducible Builds since 2014. Aiming to make all β€οΈ Free Software reproducible.
- Ask me anything, anytime. This is a pretty complex topic.
About you
- Who has seen my talk about Reproducible Builds on Monday? (or another time)
- Who knows something about the Debian archive kit (dak)?
- Who knows something about Debian buildd infrastucture?
- Who knows about dpkg-distaddfile?
About this workshop
- I'll get to the topic at hand (how to preserve other build artifacts?) in two minutes.
- But first, some context.
Introduction
The problem
- Source code of free software available
- β¦most people install pre-compiled binaries
- No one really knows how they really correspond (even those building those binaries).
- As a result there are various classes of supply chain attacks.
https://reproducible-builds.org/docs/definition/
- When is a build reproducible?
- A build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.
- The relevant attributes of the build environment, the build instructions and the source code as well as the expected reproducible artifacts are defined by the authors or distributors. The artifacts of a build are the parts of the build results that are the desired primary output.
https://reproducible-builds.org/docs/definition/
- When is a build reproducible?
- [...] The artifacts of a build are the parts of the build results that are the desired primary output.
- Build logs, unit tesst results, autopkgtest results and other build artifacts are out of scope in this definition.
100%!
- 100% reproducible is a political decision and nothing technical.
- We need to change
debian-policy! - We can work around 'must-have-offenders' using whitelists in the beginning.
- The goal is still 100%, whitelists are just a way to achieve that goal eventually.
CI results for Debian unstable, 20240727
Debian policy
- 2017: packages should build reproducibly.
- 2025? reproducible packages must not regress.
- 2025? NEW packages must build reproducibly.
- 2027? packages must build reproducibly.
future reproducibility of Debian amd64
| suite | reproducible | unreproducible |
|---|---|---|
| stretch | 23040(93.2%) | 1514 |
| buster | 26653(93.9%) | 1405 |
| bullseye | 29698(96.2%) | 761 |
| bookworm | 33240(96.9%) | 670 |
| trixie | 35000 | 256 |
| forky | 40000 | 128 (but no regressions or new pkgs) |
| forky+1 | 45000 | 42 policy violations left |
| forky+2 | 50000 | 0 (?!?!!! that's probably 2031) |
Other build artifacts
(and other significant problems)
- So let's get to those other build artifacts finally.
Build artifacts
- .deb files (and .changes and .buildinfo)
- the one and only build logfile
- nothing else, so people who need those artifacts invented unreproducible work arounds and store these build artifacts in .deb files.
- or the workaround is to do a local build to have access to those artifacts. That's clumsy and time consuming.
https://wiki.debian.org/BuildArtifacts
- .deb files (and .changes and .buildinfo)
- the one and only build logfile
- nothing else, so people who need those artifacts invented unreproducible work arounds and store these build artifacts in .deb files.
- or the workaround is to do a local build to have access to those artifacts. Thta's clumsy and time consuming.
https://wiki.debian.org/BuildArtifacts
packages including other build artifacts
src:binutilsbuildsbinutils-devunreproducibly.src:gcc-Xbuildsgcc-X-test-resultsunreproducibly.- We cannot whitelist those packages forever, if we want 100% reproducible packages in Debian
testingandstableeventually! - Many thanks to Matthias Klose for writing https://wiki.debian.org/BuildArtifacts !
other https://wiki.debian.org/BuildArtifacts
- more than one build log.
- config.log, config.status
- preprocessed source for compiler errors
- test results (from unit tests during build, not autopkgtests)
- dejagnu test logs
- The wiki page has more usage examples, eg verbose build logs from GNOME packages. prepocessed sources in /tmp/cc*.out
Preserving build artifacts, what doesn't work:
- salsa CI: we want the artifacts from real builds.
- autopkgtest mechanism is also not dealing with results from the builds, but from tests using the build results.
Preserving other build artifacts
- dpkg-distaddfile can be used to add files to debian/files so that they are referenced in the .changes files and thus included in upload.
- files added via
dpkg-distaddfileend up in the byhand queue, eg oncoccia.debian.org:/srv/ftp-master.debian.org/queue/byhand - Now we only need
dakto accept those files and make them available somewhere, outside the archive, like .buildinfo files... - (Though this doesn't work for failed builds. But then we have nothing for those now neither.)
Preserving build artifacts, how to continue...
- So we only need
dakto accept those files and make them available somewhere... π - Almost sounds like an easy plan.
- Almost:
.buildinfofiles until this day are not made available to the public by the ftpmasters...
Timeline
- Can we have this for
experimentalnow/soon? - and for
unstabledirectly after the trixie releasde? - or even earlier for
unstabletoo?
Thank you
β¦ and all contributors out there!
Any questions, suggestions, ...? π€·https://wiki.debian.org/BuildArtifacts
(let's edit this in a pad during the BoF)
Holger Levsen <holger@reproducible-builds.org>
B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Reproducible Builds, the first eleven years and beyond!
Holger Levsen
DebConf24
2024-08-02, Busan, South Korea