Some reproducible builds notes

Ed Maste emaste at
Thu Jun 16 14:11:13 UTC 2016

I recently presented on "Reproducible Builds in FreeBSD" at BSDCan.
For anyone unfamiliar with the topic, from "Reproducible builds are a set of
software development practices which create a verifiable path from
human readable source code to the binary code used by computers." In
brief, the idea is that building the same binary, software package,
document or other binary artifact twice from the same source produces
identical output. There's good background information, documentation
on making builds reproducible, and links to test results on the site.

Many folks have contributed to the reproducible build effort in
FreeBSD src and ports over time -- at least a decade. There are many
practical benefits of reproducible builds (such as bandwidth and
storage savings). However, there's been a growing interest over the
last few years in the broad open source and free software community in
the topic, coming primarily from a software and toolchain integrity
perspective. Over the last few years some Debian folks have been
leading a comprehensive and structured reproducible builds effort.
bapt@ and I attended the first Reproducible Builds Summit in Athens
last year, and I had a talk accepted at BSDCan on it. The BSDCan
schedule page for my talk[1] has a link to the slides[2].

I'd like to continue discussing reproducible builds in the FreeBSD
context, but for now just want to capture some data from my talk so
that it's available for interested maintainers of individual ports
who'd like to take a look. I used src r300165 and ports r415464, with
a few patches as described in the talk.

I've put data from the ports build runs for my talk at [3]. In that
directory nonrepro.1.txt contains the set of packages that built
nonreproducibly (with a patch set the timestamps in pkg's output).
nonrepro.4.txt contains the set of packages that built nonreproducibly
with the patch above, SOURCE_DATE_EPOCH set in the build environment,
a Clang patch[4] to honour SOURCE_DATE_EPOCH, and a change to make GNU
ar default to deterministic archives, since committed as ports

Diffoscope[5] is a tool that attempts to show the differences between
two binary artifacts in a concise and human-readable form. It's
available in ports as sysutils/py-diffoscope and in the
py34-diffoscope package. You can also try it out online[6]. In the
diffoscope/ subdirectory[7] I've put the output for most of the
nonreproducible packages. (Some packages[8] are excluded because of
excessive diffoscope runtime.)


More information about the freebsd-ports mailing list