Collaborative Working Sessions - Public verification service
Server collects build data
- Includes Hashes of Outputs
- Info About Build Environment
- Finds out what environment factors matter
Use cases
Use data to determine what’s causing builds to differ
What percentage of X builds reproducibly
Building or rebuilding stuff
Components are things like build environment and sources
Build spec
Build spec:
- Input archive
- Patches
- Build instructions
- Target distro/OS
Environment:
- What’s installed
- Contents of /etc
- File system types
- Initial working directory
- Environment variables
- Running kernel
- Hardware architecture
- Current user (UID/GID)
Outputs:
- ‘treeish’ hash
- Include some file metadata, but not all
- Should timestamps be stored?
- Is-Test (delete periodically if true)
(above is the payload)
Metadata:
- Name + Version
- Project URL
- Uploader
- Optional signature
- Comment
- Link to build
Formats:
- Linked Data / RDF
- JSON
- SBOM / SPDX / CycloneDX / … ?
- Maybe In-TOTO?
Hook In:
- After ‘Fetch’ / Before ‘Build’
- After ‘Artifact Generation’
People interested in contributing to implementation:
- Hervé Boutemy (hboutemy@apache.org)
- Arnout Engelen (arnout@bzzt.net)
- Janis Peyer (janispeyer@bluewin.ch)
- Nicolas (boklm@torptoject.org)
- quae@daurnimator.com
