X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail.bitmessage.ch (mail.bitmessage.ch [146.228.112.252]) by lists.alpinelinux.org (Postfix) with ESMTP id 73619F84F42 for ; Tue, 18 Dec 2018 08:27:40 +0000 (UTC) dkim-signature: v=1; a=rsa-sha256; d=bitmessage.ch; s=mail; c=relaxed/relaxed; q=dns/txt; h=From:Subject:Date:Message-ID:To:MIME-Version:Content-Type:Content-Transfer-Encoding:In-Reply-To:References; bh=1Q2r+REM5TjXBJQHDquBZMhfDEbZQC0tV1WMW/ShR3w=; b=Dh7wOG+9PYA3N8aFeXuw0f6WFn4bxP6k05f+xUqjJv4vL7BM6M+Z2XsQfvNJqskPdMf582xF+PZCyBZvyUzePWB88PR7fLUtZlk0AXPDPZFXPM75pLY2K0AVIsbzH+d5Q6bYRKMq9iZ4lWbtsrVuptDnDv+gBWau9e0piHK3KJw= Received: from [127.0.0.1] (tor-exit3-readme.dfri.se [171.25.193.235]) by mail.bitmessage.ch with ESMTPSA (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128) ; Tue, 18 Dec 2018 09:26:42 +0100 To: alpine-devel@lists.alpinelinux.org References: <20181217133328.4dd1ef26@ncopa-desktop.copa.dup.pw> From: Oliver Smith Openpgp: preference=signencrypt Autocrypt: addr=ollieparanoid@bitmessage.ch; prefer-encrypt=mutual; keydata= mQINBFkgqFYBEACpmb35WGjNXMOALKSpRaZSLnPSQWMGFS1bVbMl4ugIP4aqQCN4qUeC3DAh 57OajhP9eWwbyeAh9l7G2sJYaiuJOonQsnLdNe4vXLH9r8rpr7EAgv6RsiuShIox7W45z1p6 v3SJQi5W+tayzXAsr1shYHKIhx48xBdDjqxHIvYaoyMTiWqyp4o4W0YlH4MTafuEjW1wANma e9thyyhbdRql2kcLjIAkLNRh7rGI3NT0bJboc5p71srv2TqwbbrMOZtmRo9qPFPUpAt7qFaf aRVaasXiIR+zLHfIoW1g7tlzdLPrW1QVvPNBOIUMA4NqKSWiQxsgzdu7Suydou3Kb4O0FHRv vHdfOkB07uECSZTZSdseIXOu9Ofsi6tD0hhz+7ODqknM9IFlPD32CY/H3uvbw9u5qyDAlaSV 6b1djAVzCgc5zJM/WQx8GbH9ww5i8iG+2b/OSSGQRUOr0wxpXDKuN1gbXwZhtVVa56icKJta bbTyhIZZi2/XNqxPtcZxV9LTZ0+uNXcHelO8g/qFNJX0aCtAfaLwec5OZ1qppjeQ8paos13N JtBnH7U+0OCcH7B4Hc91I6L5qnUHQBC84MqLehw/XSBYEp56NXrRJByn9cVCoqWoD+Og4YCx pn0QboraBbYBg32jP8nEt3IRYWyD7hrU3szH9H+OlpCUHFhzYQARAQABtCpPbGl2ZXIgU21p dGggPG9sbGllcGFyYW5vaWRAYml0bWVzc2FnZS5jaD6JAk4EEwEIADgCGyMFCwkIBwIGFQgJ CgsCBBYCAwECHgECF4AWIQRW6FMNtYvcgBJX9fBa5/VRPgiFywUCWSCsbwAKCRBa5/VRPgiF y5YOEACTnQ9cb6tWuabTUduoi5UV6A1M/CU1ZnCvTVPCu72pfjn1idniAtis0Q25UfAs3FNr 8user54eBfLB9X/6LPU97VeKrOz2j0IVDAneL99YyK2xLw02a0vVDpnhCvP1fZZEtnmt1Z/v DCvU2BKTNV62w3S6ZojKQqS25/gPny06seJW38P7Md7lJNwvwsjiL/j29REWRI1SYUI1N3OG +tSVWhNNGXNaYSLpGh481JAbp7o+xb+e9Gl+PSIyu2uThAjYcKLm32yorrK8VGMUzqf/FN1z 9VLQWWMMTA/NFwj+HQaaFoEnUu9H2Epw/Vcz4sGanhv/Fjc3QeRfiUbCAdqFtCE1iDfmYvX+ gODyJi2xpQ2MLTS6DOL5J3JXOIBRHPkjsDl6vuxxxjzLhWUbn4PpU/fNYap2dp1A19IH2IxR Ka7ClzYI8wrxW7APjbP/Ii9Md6KXTJWLQ+RGsQ8LvOTPVMXzdmqCLe3SwgSrGH9xr4pNm8qf PAclsuWlqyEEdWFj5080m98ZJgU0A1yHH95bmrWmhugaAydEC/uTc2tSMYrqRWzL12bAGBig 493Vx3I9it6fECVSPdWEw7KwqK2J10X4lvryODAzg4biPnOVFQeR9Nup/HBPWv7u3oFefl+7 1QENkMD1AIVhtrT0NMRO8qlsd8KhbVVCQTxfsWEVnbkCDQRZIKhWARAAtnQOhY4KQwU4io++ WxmiNIKuvA5lzMDugBCK/EcY8hNjVh3L2JjgJ1izwcL2mWaUL384tyBODoAAwlShDObfc8LN ozIHVr0JOoblFPR6Jzi9WVq0dquqvqd8ZQu2AXiSjvyvqlqlmX3+/+duSqGa6/p/fYorpCmt TIkGI9CEB8ZabEtlj/rA09QhMnlkHEM9pPtzuUDhddxx7qJ6qFwtp2+WGT7Cd4fHKrnk5Yfw G4RxubxsFkC/3ekO/hmnqkDhM7xTOR7e5+3EHaRoYDAW6DD+QfhLnPFtSLl71G7mzQ9unvM/ H6lWtZLb4SSqOxsNUJwY9FUkqLWnHxeC1xkVNjeRCf0ojobPxmRwG4/uQlE5UNwUolgPzYUU +EbZjtB1TZpD9wVILjkJrkVfdjdGjT3WTuMYbZbF3i63cq2T4jnktfW0zU6LZAsB+sn/Fbka SBQqN39o+1EhjPEJS5sYksPgHxpLyWgPcUaLilFnoTXAJMafj2B8Pq7yNs/izLGbrNIXvByM ZblbkO1SsKmDxYyV4mPDpc6nMVbIMGE5T0HVElBy8nc0kXMrRo2iidm9r2uMdIzTDK4ik8oY aZ1gzPCeL/+rGKA94n6heow5CKJeEb7L22DoPKYVv9JOjLhbZ2+jxZKoCe2NfyRac7PbiDgz tzmks+vzZFmyBSRANrsAEQEAAYkCNgQYAQgAIAIbDBYhBFboUw21i9yAElf18Frn9VE+CIXL BQJZIKx1AAoJEFrn9VE+CIXL84UP/3l/f77Sfn2Ldwh2h+GyK4Em20/BNgnYx5H8lvKFCswd 2yWp4gO92rrmgnfa43Hl3x7/4Afn2WV5/kQwJL41xoJhhi3n3nOxPzXrHRi2eonLzwup09VC hs4Sg4Q7fHeUK+fXyKg7KgUY5LHDoYH6Md8Cuy5Er6st9Xam6daXDmkVVVQ74b2yXMfsW9h8 yBpWjg+JSh68LZf0quevM4iLEq+qZVvRM8lzaDyVs6fAT4iNmaw/+5+RZi7aCH2PLRRIwR4f Ufha/MNo1nupLSnQD16kfB5DHkwbHWp96USVkYHl/lxGN55FjH1dP5TBfgAsurCjmxWxZTQp S+sqivEElg4j7+rpIOLCugskq8EN0Hv7j9nOaov7iB/BzubT9XHqy518/IQ0UAaNPgowpvx7 ISd9QXpMhTSeETVgLTv4SaoZZqE2UUKVVkbF5RAt2ykF/4Iow2UEX9nyg0g3g5LW82zV6xyG m+XdIAoRawBe1vcS0xHfysfqEK23YTpQC4Q69yfjHknaA6rK8rvPrQJK34JWMICes6A91RpA 51CsEVUZTIha6nkIRF2aOdZaC2NeVhbYX66YEERV2EA5Wy7Fi5ES/7/mhQRkqCj6r6Zw2Py3 fUwz07s/NcFvqkrICZDTmCH4jydV6jUgLwzw4uf82HKwmQxPvyw1XWaK9fXUMON2 Subject: Re: [alpine-devel] Report from Reproducible builds summit 2018 Message-ID: Date: Tue, 18 Dec 2018 08:27:00 +0000 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 In-Reply-To: <20181217133328.4dd1ef26@ncopa-desktop.copa.dup.pw> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Hello Natanel and ML, I'm glad to read about this, thank you for this writeup! I've looked into reproducible builds myself last year, even had a proof of concept with a few packages. The tooling can't be re-used, as it was based on pmbootstrap from postmarketOS, not Alpine's abuild directly. But maybe I can help with some insights or contribute otherwise. Natanael Copa: > * we may need to store the exact versions and/or hashes of the > dependencies used when a package was built. I am not sure where we > want store this. Maybe in the APKINDEX? I had created a .buildinfo.json file, where I placed all dependencies that were installed at the build time, with their versions. That file was placed next to the main apk (so no extra buildinfo file for subpackages) in the binary repository directory. Storing the hashes would be even better. I chose JSON, as it's trivial to parse that with Python, but since Alpine's build tools are lightweight and do not depend on Python, using another format probably makes moer sense. The idea for this file was based on Debian's buildinfo file, that is described here: https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles The APKINDEX is generated from the apk files, so we would need to have the information elsewhere already, right? > * we embed the signature in the .apk, which means its not possible to > re-create the exact same .apk without having access to the private > key. I'm not sure how to deal with that. My cheap workaround for that was: just make all files inside the .apk file reproducible, not the apk itself. It would be better to have the entire apk reproducible of course, but to do that, we would need to store the signature elsewhere (e.g. create a .sig file for each .apk). Having an extra signature file might also make it easier to allow multiple entities to sign an apk, e.g. after an independent rebuild. Regards, Oliver --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---