reproducible builds of FreeBSD in a chroot on Linux

Holger Levsen holger at
Sat Jul 18 14:10:44 UTC 2015


so I made some progress on this: a.) there is a build host running freebsd 
10.1 (called now, on which the jenkins user from can login via ssh as jenkins user b.) besides the base 
system it has "screen git vim sudo denyhosts" installed and c.) the 
directories /srv/workspace/chroots/ and /srv/reproducible-results have been 
created (and are owned by the jenkins user) and d.) /usr/obj/srv is a link to 

With this, 
gets as far as 
where "stage 2.1: cleaning up the object tree" fails on "make buildworld", 
because /srv/workspace/chroots/freebsd-
XXXXXXXX.v1adN6Qo/freebsd/lib/libc/tests does not exist.

And at this point I'm stuck as to why this happens. Any hint much welcome!

(Please note that is just a work-in-progress now and 
there are still some bits from it's source, visible. 
This need to be cleaned up, but shouldn't be too confusing know that this is 

On Mittwoch, 17. Juni 2015, Ed Maste wrote:
> > claims there are 3 known
> > issues (for "make world" AIUI) for HEAD, I would like to build twice and
> > verify myself.
> I'm interested in fixing the remaining kernel / world issues, with the
> kernel being my higher priority.

> For the kernel we have the username, hostname, and build timestamp.
> The path is included too, but I don't anticipate trying to address it
> at first; release builds are done in a consistent location anyhow
> (/usr/src).

/me nods - that's what we are doing in (reproducible builds for) Debian too, 
the path has to be the same on rebuilds (as it is included in too many build 
artifacts to deeply.)

> These are used only as user-facing strings for the kern.version sysctl
> and reported by uname. An example kern.version string:
> FreeBSD 10.1-STABLE #28 r280427+86df2de(stable-10): Thu Mar 26 16:07:47 EDT
> 2015
> emaste at feynman:/tank/emaste/obj/tank/emaste/src/git-stable-10/sys/GENERIC
> From a technical perspective they're trivially eliminated. There may
> be some 3rd party ports expect the precise format, but probably not
> very many (and they should be fixed, anyhow).  There's a much larger
> social issue in convincing the FreeBSD developer community to accept
> their removal, though :-)

If any build (of the same sources) results in the exact same bits, the build 
time becomes meaningless and thus a.) can be dropped or b.) replaced with the 
date of the last modification of the sources - which is meaningful information 

While this is/was a new thought for most everyone (me included...) in my 
experience it also has been convincing logic for most everyone. The technical 
details to achieve this are sometimes a bit harder to achieve, but not 
impossible. (eg they differ whether git, svn or tarballs are the means to get 
access to sources.)

In Debian we want 100% bit identical packages (=.deb files) as this allows us 
to only require a checksum comparison to see whether two builds created 
reproducible results.

> > says "Of the 23599
> > packages which were built in both runs, 15164 have the same checksum
> > when using the previously mentioned patch, giving 64.25% reproducible
> > packages." - I'm also curious to re-confirm this - and set up a test
> > bed, which can be triggered regularily and easily. Our jenkins set up
> > allows this and I'm interested to do this.
> I'm pleasantly surprised by the ports results -- 64.25% seems quite
> good for such a straightforward change. The test there is on the same
> host though, and so avoids any non-reproducibility from host/user/path
> leaks.


> > My interest is to help FreeBSD with reproducible builds as I want to see
> > reproducible builds become the norm in the free software world and as I
> > believe FreeBSD is an important part of this world. And also because I'm
> > curious. :)
> Great! Hopefully we can help lend some weight in convincing upstream
> projects to accept reproducibility patches (once we get further along
> in our ports effort).

I'm looking forward to see this happen! ;-)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part.
URL: <>

More information about the freebsd-hackers mailing list