LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Reproducible builds (https://www.linuxquestions.org/questions/slackware-14/reproducible-builds-4175587711/)

Rinndalir 08-22-2016 07:00 PM
Reproducible builds
 
If on current and a package is built from source shouldn't the binaries be identical to what's installed? I was surprised when a package with only three core libraries (using ldd) was a different size than the installed binary. Mine was 104 bytes larger. I may have to use objdump to determine what's different. I was thinking maybe a couple or few bytes for timestamps or something but not 104.

I'm not super worried, more curious, so don't anybody freak.

If you're curious about reproducible builds here's debian's ambitious project.

https://wiki.debian.org/ReproducibleBuilds

Richard Cranium 08-22-2016 08:12 PM
No, because the official package may not have been built in -current. There's a rather long thread around here where that is discussed.

dugan 08-22-2016 10:52 PM
Pat updates -current by rebuilding a few packages at a time. Obviously, that means that most of the packages in -current weren't built against the current snapshot.

ponce 08-23-2016 12:29 AM
https://www.linuxquestions.org/quest...ds-4175553407/

ReaperX7 08-23-2016 01:03 AM
If you have ever read up hard dependencies versus soft dependencies, it should explain it better.

kjhambrick 08-23-2016 06:21 AM
Thank you ponce for that link !

I wasn't around much last Fall ( 13.37 was working just fine for me on my trusty-old 2011 Laptop :) ).

I've saved the link in my URL Lint in my Security-Related/ Directory

And thanks to 55020 for post #13 !

-- kjh

Rinndalir 08-24-2016 01:37 PM
Quote:
Originally Posted by Richard Cranium (Post 5594594)
No, because the official package may not have been built in -current.
Ah, right. Turns out that I am making some debug binaries so they're all going to be different. But I think reproducible builds are a really good idea anyway.

the3dfxdude 08-24-2016 03:38 PM
I read over debian's page some and got here:
https://wiki.debian.org/Reproducible...oSpecification

I think calling it "reproducible builds" is a bit misleading. I would call it an audit. And they are capturing enough of a fingerprint so that hopefully the build system can be fully recreated where a package was built on. They are not saying that the packages must be built 100% identically in each stable release, but I could have missed it. But reproducible builds would be a nice side-effect.

Audits are good, but I don't think it should be required of distributions to track this much detail, nor to rebuild the entire package set prior to a stable release. I do think much fear of not knowing all the details can go away based on how you trust your tool-chain. I don't think that simply automating this into the packaging system really is going to gain much.

Rinndalir 08-26-2016 05:55 PM
Quote:
Originally Posted by the3dfxdude
I think calling it "reproducible builds" is a bit misleading.
Not at all. You may not be understanding their project. There's a presentation by one of the devs from a linux conference that's excellent. It makes it very clear. Worth watching and was very well liked by the audience which doesn't happen that often with techies.
There was a lot of applause.

Rinndalir 08-26-2016 06:11 PM
The talk was given at fosdem2016.

http://video.fosdem.org/2016/janson/...ble-builds.mp4

https://archive.fosdem.org/2016/sche..._ecosystem.pdf


All times are GMT -5. The time now is 06:25 AM.