Is it possible to have binary reproducible builds on Chum/OBS?
Since the hostile fork [definition, reasons] of Whisperfish yesterday, I was wondering how we could improve the trustworthiness of our packages. OpenRepos has zero accountability of course, but OBS would make it possible to have a transparent and traceable path from source to RPM.
I know that OpenSUSE is working on reproducible builds for all packages on their OBS but I don’t know enough about how any of this works. Does anyone know more?
[OT]
I’m feeling a bit uncomfortable.
It’s burning in enough of places, atm.
None of us would have interests to have fires also here, imo.
I’m not familiar with the issues involved but I’m convinced some better communication, some more better chosen words could solve a lot of things.
The text/web interface doesn’t help either, as I’m sure that, around a [tee || coffee || beer] at a meeting, things could be discussed and directly said and solved.
Just a note that we at Jolla have been working on getting all official Sailfish OS package builds to be reproducible on OBS and only a couple of packages are left. It seems community OBS doesn’t do the package change check and I asked from the maintainer if that is intentional or not.
Reproducible builds protect against all kinds of situations where you have to trust random code written, packaged, built by random people on the internet. There are enough examples of people introducing malware into open source software, the various npm incidents, people trying to introduce bugs into the Linux kernel, the xz utils backdoor, etc.
It makes everyone safer if you can verify that binaries are actually built from the claimed sources. → Reproducible builds - Wikipedia
Off topic: this is what I mean by “hostile fork” → definition I believe(d) it’s a common term in FLOSS circles, sorry for the confusion. In this specific case, I explained in the other thread why I consider the fork problematic. I don’t want to accuse anyone of malicious intent.
Thank you, this is very good to hear! Is there something we as the community can do to help? Which packaging changes are required to make a build reproducible?
The build comparison script has been added to community obs so now you can trigger some build and see if that is reproducible. What is needed for each package differs a lot, some don’t need any changes while others need fixing. Most common issues are that the build includes package version incorrectly (including the build count i.e. release version) or build timestamp in the output.
Whisperfish will be a rather difficult beast to get reproducible, I’m sure. But I think it should be a goal, together with getting it on OBS and Chum in the first place. Most of it builds on OBS already; I’ll want to make the ringrtc component buildable as well though, and that’s very very painful.
Nice! Now the only step left for me is to package my apps on OBS
Do you guys have internal docs on that which could be made public? If there is Sailfish-specific stuff that needs attention… // link for later, I haven’t read it yet: https://en.opensuse.org/openSUSE:Reproducible_Builds
