Reviewing existing reproducible builds tools

diffoscope

• diff two artefacts and check if they are the same.
• if not, it will open artefact and will try to find out what’s wrong.
• it does this recursetly
• e.g. a zip file, will be open and it will identify which file within the archive is different.
• e.g. a elf file will be opened and the section is being identified.

stripnondeterminism

• runs after the build
• remove known causes of nondeterminism
• e.g. jar’s aren’t reproducible and make it reproducible
• remove several timestamp
• should not exist by designed
• but upstream is hard or take a lot of time. it’s an intermediate solution

disorderfs

• fuse filesystem
• has different modes
• e.g. random
• ls -f / can return every time a difference
• e.g. invert
• invert the listing
• e.g. order
• will order mode

Good practices:

• runs once in “order” mode
• runs second in invert mode to have a deterministic non-deterministic way.

trydiffoscope.org

• web service
• you don’t have to install diffoscope with the lots of dependencies
• written in django
• cmdline client to avoid main diffoscope install
• upload
• diff on the server
• create a link to be shared into the bug report

reprotest

• tool to run the a build run twice
• can use container
• reprotest make will run it twice. but changing the environment like TZ

tests.reproducible-builds.org

• based jenkins
• doesn’t run reprotest
• is running bunch of scripts to do the build twice
• is legacy, but moving to reprotest, isn’t going to happen, as long reprotest is still under development

squashfs-tools

• the upstream is not reproducible
• lots of distribution patches
• unclear if the reproducible patches gonna accepted
• lynxis will do a fork because the maintainer isn’t
• not reproducible becaues of timestamps and scheduling problems

guix

• packages manager guarantees reproducibility
• guix challenge compares difference sources of a binary

reproducibleopensuse

can test a packages which has been uploaded to opensuse build system. varies:

• hostname
• date

tool request

• to make javascript reproducible, there should be a npm-ls to get all the npm packages.
• someone created a cross-ecosystem scraper to scrape npm, pypi
• prevent build systems to talk to the internet
• run a tcpdump on the system. if the .pcap file is greater than 0, you know the build talked to the internet. It helps create a good bug report to know, to which server it talks and what.
• Put the “is the build talking to the internet” feature into the build system.
• call runc without network
• create a namespace without network

Feedback results to the community

reproshilds.io??

• travis-ci integration
• create a tool to integrate it into their build process
• create a feedback api.
• get badges

The unreproducible package

have a package full of unreproducible things

next sessions

• squashfs forking session
• reprotest