Reproducible Builds

Reproducible Builds

[Achim Gratz]

Has anybody tried to make cygport builds reproducible?  It bothers me
that each time I build the same package in the same build environment I
get a different package archive (even if the same size it will have
another checksum) and lots of files inside the archive are different,
too.

It seems that the Debian folks have been trying to get that problem
solved on a larger scale (they also record the build environment so it
could be re-created as needed).

https://wiki.debian.org/ReproducibleBuilds
https://lwn.net/Articles/630074/

But for starters I'd be happy if two consecutive builds produced the
same archive.  Besides getting stable SHA-512 it would enable us to
package the noarch parts independently (i.e. files that are identical
between an i686 and an x86_64 build).


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Factory and User Sound Singles for Waldorf rackAttack:
http://Synth.Stromeko.net/Downloads.html#WaldorfSounds

Re: Reproducible Builds

[Stephen John Smoogen]

To make a reproducible build requires being able to completely control
the environment that the system is built in. Timestamps, random
numbers used for hashes etc all have to be prechosen and known. I
don't know how much of that is outside of the control of the Cygwin
build environment because the Windows system has its own ways of
choosing such things.

On 12 October 2015 at 13:13, Achim Gratz <Stromeko@nexgo.de> wrote:
>
> Has anybody tried to make cygport builds reproducible?  It bothers me
> that each time I build the same package in the same build environment I
> get a different package archive (even if the same size it will have
> another checksum) and lots of files inside the archive are different,
> too.
>
> It seems that the Debian folks have been trying to get that problem
> solved on a larger scale (they also record the build environment so it
> could be re-created as needed).
>
> https://wiki.debian.org/ReproducibleBuilds
> https://lwn.net/Articles/630074/
>
> But for starters I'd be happy if two consecutive builds produced the
> same archive.  Besides getting stable SHA-512 it would enable us to
> package the noarch parts independently (i.e. files that are identical
> between an i686 and an x86_64 build).
>
>
> Regards,
> Achim.
> --
> +<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+
>
> Factory and User Sound Singles for Waldorf rackAttack:
> http://Synth.Stromeko.net/Downloads.html#WaldorfSounds



-- 
Stephen J Smoogen.

Re: Reproducible Builds

[Qian Hong]

On Tue, Oct 13, 2015 at 3:33 AM, Stephen John Smoogen <smooge@gmail.com> wrote:
> To make a reproducible build requires being able to completely control
> the environment that the system is built in. Timestamps, random
> numbers used for hashes etc all have to be prechosen and known. I
> don't know how much of that is outside of the control of the Cygwin
> build environment because the Windows system has its own ways of
> choosing such things.

Maybe we can try to use Wine. We've work on cygwin/msys2
support for a few month and we are very interesting in feedback from
real world users ;-) With Wine (Staging) 1.7.52 + Cygwin we can
bootstrap Cygwin runtime itself. Wine could be consistent among
different users even they are using different version of Linux
distribution, while different users might not be easy to use same
Windows version due to License problems and so on. With some hack, I
believe those timestamps/random number things could also be controlled
in Wine.

Not sure if that information really help you, but if you need any more
info about Wine Cygwin support feel free to ask me ^^

Have a good day :)

(Achim, I sent you a private email since I guessed not a lot people
will be interesting in my reply, but after reading Stephen's post I
decided to send again, sorry for duplicate post Achim)


-- 
Regards,
Qian Hong

-
http://www.winehq.org

Re: Reproducible Builds

[Jon Turney]

On 12/10/2015 20:13, Achim Gratz wrote:
> Has anybody tried to make cygport builds reproducible?  It bothers me
> that each time I build the same package in the same build environment I
> get a different package archive (even if the same size it will have
> another checksum) and lots of files inside the archive are different,
> too.

First you need to get the tool chain to produce deterministic builds, 
which I believe is possible.

You might take a look at 
https://sourceware.org/bugzilla/show_bug.cgi?id=16887 for one of the 
reasons why this is not turned on by default.

Re: Reproducible Builds

[Achim Gratz]

Achim Gratz writes:
> Has anybody tried to make cygport builds reproducible?

Thanks for all responses so far.  I take it to mean that indeed nobody
has tried to do it before and that I can't look at something that I can
start with.  Something else for the future, then.


Regards,
Achim.
-- 
+<[Q+ Matrix-12 WAVE#46+305 Neuron microQkb Andromeda XTk Blofeld]>+

Wavetables for the Terratec KOMPLEXER:
http://Synth.Stromeko.net/Downloads.html#KomplexerWaves