Reproducible builds and openSUSE Bernhard M. Wiedemann Cloud Developer [email protected] 

Introduction 

3 Where does our code come from 

4 What are reproducible builds? • Get the same results from building sources • Two use-cases ‒ ideally bit-by-bit identical (thus same hashes) ‒ weaker: same content after applying some filters (via build-compare) 

5 Why reproducible builds? • Need less trust in the build hosts • Reduced load on build-service from rebuilds 

6 Typical problems • embedded timestamps, hostname • embedded rebuild counters • random .o file link order changes optimization • compile-time CPU detection 

Current state 

8 Work done • 71 submit-requests • 6 bugs filed • 4 upstream fixes merged • some build-compare filters added (e.g. for javadoc) 

9 rebuild-test-scripts • available from https://github.com/bmwiedemann/reproducibl eopensuse • including this presentation's source https://github.com/bmwiedemann/reproducible opensuse/blob/master/presentation/reproduci ble.md 

10 How reproducible can we get? • bit-identical with rpm+build from home:bmwiedemann:reproducible repo and effort ‒ https://build.opensuse.org/package/rdiff/home:bmw iedemann:reproducible/build?linkrev=base&rev=2 

11 Where do we want to go? • fix all build-compare issues • not yet produce fully bit-identical rpms 

Thank you. 12 Questions? 

Corporate Headquarters Maxfeldstrasse 5 90409 Nuremberg Germany +49 911 740 53 0 (Worldwide) www.suse.com Join us on: www.opensuse.org 14