Make the whole qubes-builder deterministic

QubesOS / qubes-issues

The Qubes OS Project issue tracker

https://www.qubes-os.org/doc/issue-tracking/

541 stars 48 forks source link

Make the whole qubes-builder deterministic #816

Open marmarek opened 9 years ago

marmarek commented 9 years ago

Reported by joanna on 11 Apr 2014 09:09 UTC ... to allow easy, independent comparison of rpms/ISOs build from the same sources on different machines and by different people.

In the future: allow rpm/iso signatures by ""M out of N" signers.

Migrated-From: https://wiki.qubes-os.org/ticket/816

marmarek commented 9 years ago

Comment by joanna on 11 Apr 2014 09:11 UTC We need deterministic gcc, rpmbuld, and probably many other tools.

A great task for somebody from the community! :)

marmarek commented 9 years ago

Comment by marmarek on 17 Apr 2014 00:05 UTC Some thoughts on similar idea from Debian project: https://wiki.debian.org/ReproducibleBuilds

marmarek commented 9 years ago

Modified by joanna on 20 Apr 2014 17:12 UTC

marmarek commented 9 years ago

Comment by axon on 11 Aug 2014 09:05 UTC Historical reference: https://groups.google.com/d/topic/qubes-devel/D2Ca4Ef-dh4/discussion

marmarek commented 9 years ago

Useful link for Fedora work on reproducible builds: https://github.com/kholia/ReproducibleBuilds http://securityblog.redhat.com/2013/09/18/reproducible-builds-for-fedora/

andrewdavidwong commented 7 years ago

In the future: allow rpm/iso signatures by ""M out of N" signers.

Since this is actually a separate issue, I've created #2535.

marmarek commented 5 years ago

Status:

Debian packages for R4.0 build twice in the same environment are reproducible (at least we don't have timestamp issues)
Fedora packages for R4.0 dom0 are not (too old rpm), R4.1 should be fine
Fedora packages for fc30 VM mostly are reproducible (tested local build vs travis) - with exception to very few packages like core-agent-linux (see https://github.com/QubesOS/qubes-issues/issues/4625)

Besides packages itself, some tooling is missing to reproduce environment (frozen set of dependencies). We do have buildinfo files, but not an automated way to prepare build environment based on it.

cc @iprid23

garlicgambit commented 4 years ago

@marmarek what is the current status of reproducible builds? Is the Qubes install iso deterministically reproducible?

marmarek commented 4 years ago

No, it isn't. Not much changed from the comment above, but we do have scheduled some work on this later this year.

garlicgambit commented 3 years ago

What is the current status of reproducible builds for the Qubes install iso?