search

jrmarino / synth

Next D/Ports build tool for live systems (Alternative for Portmaster and Portupgrade tools)
ISC License
255 stars 15 forks source link

Reproducible builds support #206

Open ghost opened 2 years ago

ghost commented 2 years ago

Does snyth support reproducibly built packages through SOURCE_DATE_EPOCH? If SOURCE_DATE_EPOCH is set to the TIMESTAMP in distinfo when pkg create is called, it should allow for a number of packages to be reproducible.

jrmarino commented 2 years ago

I can't find current documentation on SOURCE_DATE_EPOCH. I assume the ports tree sets it under specific circumstances, probably a make.conf variable or the setting of an environment variable. If you tell me how it's done for poudriere, I can likely tell you how to set it on synth too. John

On Wed, Feb 23, 2022 at 1:48 PM sometato @.***> wrote:

Does snyth support reproducibly built packages through SOURCE_DATE_EPOCH? If SOURCE_DATE_EPOCH is set to the TIMESTAMP in distinfo when pkg create is called, it should allow for a number of packages to be reproducible.

— Reply to this email directly, view it on GitHub https://github.com/jrmarino/synth/issues/206, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAISZ5SQIKAW4KHH2CDFOQ3U4U2YHANCNFSM5PFLAH4Q . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you are subscribed to this thread.Message ID: @.***>

ghost commented 2 years ago

You know, I can't actually find it for Poudriere, either.

I do see it here: https://www.freebsd.org/cgi/man.cgi?pkg-create(8)#end

     SOURCE_DATE_EPOCH
              Set the timestamp for every single file in the archive
              to the one specified in the environment variable

More info here: https://reproducible-builds.org/docs/source-date-epoch/

I would use the timestamp in distinfo to set SOURCE_DATE_EPOCH when calling pkg create, or maybe even before. I wonder though if there's a ports make macro that does this already, and a different environment variable that Poudriere might be setting.

jrmarino commented 2 years ago

you could actually have a script update an environment file that synth picks up. from man page 

<profile>-environment
               This is an optional, user-provided file. It contains a
               list of name-value pairs joins with an equals sign
               (e.g. HTTP_PROXY=http://proxyserver:8888/), one pair per
               line.  If the file exists, these variables will be de-
               fined in the builder environment.  For the default pro-
               file, the file would normally be located at
               /usr/local/etc/synth/LiveSystem-environment

so you can set SOURCE_DATE_EPOCH yourself in that file