buildinfofiles.md 2.85 KB
Newer Older
1
---
2
layout: new/event_detail
3
title: .buildinfo files
Holger Levsen's avatar
Holger Levsen committed
4
event: berlin2016
5
order: 90
Holger Levsen's avatar
Holger Levsen committed
6
permalink: /events/berlin2016/buildinfofiles/
7 8
---

9
## Early work
10

11
A goal was to minimise the conditions needed to reproduce a binary.
12

13
`.buildinfo` files ("buildinfo files") would be a formula to reproduce a build.  It should be small as possible.
14

15 16
They don't/can't describe every possible input;
[a] build process [can be] affected by obscure things or external, variable factors.
17 18

1. buildinfo files:
19
record inputs to the build that produced the output, so that you can recreate its state.
20 21 22 23 24 25

2. analysis of buildinfo and outputs:
as more builders provide buildinfo files, we can look for intersections (reproducible binaries), and causes of any differences (non-reproducibility)

3. the ideal (reproducible) build would depend only the source code and build dependencies

26 27
buildinfo files should:

28 29
 - contain the minimal information needed to produce a given binary
 - be small, compact, and easily distributable
30 31


32
## buildinfo files might contain:
33

34 35 36 37 38
- source package (name, version, hash?)
- binaries produced (name, arch, checksums)
- build dependencies (recursively)
- build path (until recently?)
- environment variables (since recently?)
39

40
In Debian, buildinfo is a separate file.
41

42
In Arch Linux, buildinfo is included in the package files (but signatures are detached).
43 44


45
## Consuming and aggregating buildinfo files:
46 47

in Debian, buildinfo files are used when:
48

49 50 51 52 53
  * DD uploads a package
  * debian-ftp system distributes packages
  * end-user installs packages

and now we also realised:
54

55 56 57 58
  * rebuilders
  * buildinfo distributors


59
## Further work
60

61 62
We want to collate and distribute buildinfo files from external parties too;
not just those from Debian developers and the official builds.
63

64
Collecting and distributing those, is a quite different task than just distributing buildinfo from Debian's official builds.
65

66
[buildinfo.debian.net](https://buildinfo.debian.net) already collects and distributes some non-official buildinfo files.
67

68 69
We will need to write tools making it easy to test [reproducibility] and submit buildinfo,
and tools to retrieve buildinfo files/signatures when installing.
70

71 72
Signed buildinfos save people from having to build every package themselves:
it gives them sufficient confidence to trust pre-built binaries.
73 74


75
## Ongoing concerns
76

77
buildinfo files should to be detailed enough to explain the causes of non-reproducibility;
78 79
but too much information ($HOME, hostname, installed packaged versions)

80 81 82
An argument arose that a normalised build environment avoids lots of reproducibility issues,
like build path, environment, etc., affecting the build.
Whilst that would be easier, some of us think that is really a bug in the software that ought to be fixed.
83

84 85 86 87
In the extreme case, 
when a build-dependency affects an output binary,
we may need to generate a new set of buildinfo files
describing that situation.
88

89