Reproducible builds/bootstrap

I'm starting to work on a project to make Fedora fully reproducible and bootstrappable from scratch.
I know it is a long term plan and still working on the steps, but it would be good to know the current status, if there is an internal interest in this, if someone is already working (or planning to).

Thanks for the info.



Re: Reproducible builds/bootstrap

By King InuYasha at 11/27/2019 - 09:34

On Wed, Nov 27, 2019 at 9:17 AM Pablo Greco < ... at fliagreco dot> wrote:
I believe Dennis was last interested in this recently, though the last
time it was seriously worked on was when Dhiru Kholia was doing this
in Fedora 23 for the Reproducible Builds project. Since then, RPM has
gained a number of features for supporting reproducibility, some of
them from our friends at SUSE who have been pushing this hard for
openSUSE itself. I've done a small bit of work here and there for
this, too.

The current state of things is that we could relatively quickly start
verifying the reproducibility of Fedora by running a shadow Koji that
has the following flags set in the target tag where builds occur:

%clamp_mtime_to_source_date_epoch 1
%use_source_date_epoch_as_buildtime 1

We already set the following in redhat-rpm-config[0]:
%source_date_epoch_from_changelog 1

It would likely be quite safe for us to add
"%clamp_mtime_to_source_date_epoch 1" to redhat-rpm-config without
seriously inhibiting things. That would just leave a shadow Koji to
only need "%use_source_date_epoch_as_buildtime" and "%_buildhost" set.
These settings should never be forcibly set in redhat-rpm-config, as
they impact third-party packagers and their workflows. Thankfully,
Koji supports having macros set on build target tags directly since
Koji 1.18[1].

As far as bootstrapping from scratch, I believe Richard W. M. Jones
and David Abdurachmanov went through this process for Fedora RISC-V.
They may have more to say about how that was done...

[0]: <a href="" title=""></a>
[1]: <a href="" title=""></a>