Collaborative Working Sessions - Public verification service

Server collects build data

  • Includes Hashes of Outputs
  • Info About Build Environment
  • Finds out what environment factors matter

Use cases

Use data to determine what’s causing builds to differ

What percentage of X builds reproducibly

Building or rebuilding stuff

Components are things like build environment and sources

Build spec

Build spec:

  • Input archive
  • Patches
  • Build instructions
  • Target distro/OS

Environment:

  • What’s installed
  • Contents of /etc
  • File system types
  • Initial working directory
  • Environment variables
    • TZ
    • Locale
  • Running kernel
  • Hardware architecture
  • Current user (UID/GID)

Outputs:

  • ‘treeish’ hash
  • Include some file metadata, but not all
  • Should timestamps be stored?
  • Is-Test (delete periodically if true)

(above is the payload)

Metadata:

  • Name + Version
  • Project URL
  • Uploader
  • Optional signature
  • Comment
  • Link to build

Formats: - Linked Data / RDF - JSON - SBOM / SPDX / CycloneDX / … ? - Maybe In-TOTO?

Hook In: - After ‘Fetch’ / Before ‘Build’ - After ‘Artifact Generation’

People interested in contributing to implementation: - Hervé Boutemy (hboutemy@apache.org) - Arnout Engelen (arnout@bzzt.net) - Janis Peyer (janispeyer@bluewin.ch) - Nicolas (boklm@torptoject.org) - quae@daurnimator.com

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info