Collaborative Working Sessions - Public verification service
Server collects build data
- Includes Hashes of Outputs
- Info About Build Environment
- Finds out what environment factors matter
Use cases
Use data to determine what’s causing builds to differ
What percentage of X builds reproducibly
Building or rebuilding stuff
Components are things like build environment and sources
Build spec
Build spec:
- Input archive
- Patches
- Build instructions
- Target distro/OS
Environment:
- What’s installed
- Contents of /etc
- File system types
- Initial working directory
- Environment variables
- TZ
- Locale
- Running kernel
- Hardware architecture
- Current user (UID/GID)
Outputs:
- ‘treeish’ hash
- Include some file metadata, but not all
- Should timestamps be stored?
- Is-Test (delete periodically if true)
(above is the payload)
Metadata:
- Name + Version
- Project URL
- Uploader
- Optional signature
- Comment
- Link to build
Formats: - Linked Data / RDF - JSON - SBOM / SPDX / CycloneDX / … ? - Maybe In-TOTO?
Hook In: - After ‘Fetch’ / Before ‘Build’ - After ‘Artifact Generation’
People interested in contributing to implementation: - Hervé Boutemy (hboutemy@apache.org) - Arnout Engelen (arnout@bzzt.net) - Janis Peyer (janispeyer@bluewin.ch) - Nicolas (boklm@torptoject.org) - quae@daurnimator.com
Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info
