As part of a Google Summer of Code project, Atharva Lele works on reproducible builds.
Arnout is away on: 30-31/5; 10/6; some time in July; 15-19/8.
Weekly meetings on appear.in/buildroot every Tuesdays at 14:30 UTC.
- As discussed on IRC, diffoscope only needs to be done if cmp detects differences. However, it doesn't take long anyway, and it *will* report if there is a difference.
- diffoscope must be done on output/target/ and target/images, but autobuilders don't enable any images. So when doing a reproducible test, a tarball must be generated.
- Manually try this, to be sure that it also looks inside the generated images.
- Enable one / all target filesystems to check this manually.
- Disable BR2_REPRODUCIBLE for this test, so there actually are some differences.
- diffoscope has a lot of dependencies, we don't want all of these on the autobuilders
- Try what the output is if the external tools are not installed
- autobuilder script should fall back on cmp if diffoscope is not installed
- Start patching autobuilder script to do a reproducible test.
- Randomly enable BR2_REPRODUCIBLE, e.g. 10% of the times
- Do the same build a second time. Only variation is time.
- Run diffoscope on the result.
- Confirmed that starting from next week, work is full-time on GSoC (end of exams)
- Review of the Yocto implementation
- differences: Yocto is a distribution, so has a cache of the output, while buildroot does not
- SOURCE_DATE_EPOCH and TZ: already done (depends on BR2_REPRODUCIBLE)
- Doing similar in Buildroot:
- Do a first build with a successfull config from autobuilders, after enabling BR2_REPRODUCIBLE
- Then mv $(O)/target to $(O)/target-1; make clean; make
- And then run diffoscope target-1 target/
- Identify diffoscope dependencies to run it in autobuilders (eventually)
- How to save and present the result on autobuilder site?
- confirm overal actions and planning
- Wiki page: Reproducible Builds
- Shared State Mechanism: If input metadata hashes are same, outputs are reused. If inputs have changed, tools from Reproducible-Builds to be used. Further development yet to be done.
- At this stage, binary contents should be same. However file timestamps (due to package managers) may be different.
- Static Timezone value: Bugzilla
- Adapted SOURCE_DATE_EPOCH: Bugzilla, Source-Date-Epoch - Reproducible Builds
- Archives generated with deterministic metadata (using archive tools' arguments)
- Remove non-deterministic data from rootfs
- Diffoscope data on their shared states: yocto-reproduciblebuilds-data
- Depends on: python3, PyPI modules: libarchive-c, python-magic
- External tools requied: Rscript, abootimg, apktool, bsdtar, bzip2, cbfstool, cd-iccdump, cmp, compare, convert, db_dump, diff, docx2txt, dumpxsb, enjarify, fdtdump, ffprobe, getfacl, ghc, gifbuild, gpg, gzip, identify, img2txt, isoinfo, javap, js-beautify, lipo, llvm-bcanalyzer, llvm-dis, lsattr, lz4, msgunfmt, nm, objcopy, objdump, ocamlobjinfo, odt2txt, oggDump, otool, pdftotext, pedump, pgpdump, ppudump, procyon, ps2ascii, readelf, showttf, sng, sqlite3, ssconvert, ssh-keygen, stat, tcpdump, unsquashfs, wasm2wat, xxd, xz, zipinfo, zipnote
- This has tools used to compare a lot of file formats that probably aren't generated (like android APKs, Windows/Mac executables) in a Buildroot run. We can exclude those.
Sample Diffoscope Output
- Minimal config build (make defconfig; make). Will run diffoscope on a build from Autobuilder config tomorrow.
- Builds run about 10 minutes apart.
- Moved first build to target, and rerun. Then run diffoscope target-1 target > diff.txt
- diffoscope log: https://paste.ubuntu.com/p/VpMbW4qQQP/
- Except for a time record in the busybox binary, all other differences seem to be only timestamps of file generation.
- Week 20: study how yocto does it
- Week 21: ...
- Week 22: do two builds in autobuild-run script