Reproducibility of packages in the ARM repos

Development on core packages and the distribution goes on in here.

Reproducibility of packages in the ARM repos

Postby esotericnonsense » Tue Nov 19, 2019 4:27 pm

Hi,

Over in #archlinux-reproducible on freenode and along with the Reproducible Builds project on https://reproducible-builds.org/ we've been working on making arch x86_64 reproducible; a large part of [core] is now repro, changes have been made to pacman and other dev tools to make this possible, etc.

I've been using Eli Schwartz' `makerepropkg` tool (hopefully going live in devtools soon) to try and reproduce packages in the alarm repo. This works to a point; you need a historical package archive but I've been able to create that for myself.

The problem I'm having now is that I'm not sure the final PKGBUILDs and associated patches are made public. The repo here https://github.com/archlinuxarm/PKGBUILDs has some customizations, but even then the hashes don't match:

$this->bbcode_second_pass_code('', '
PKGBUILDs/extra/thunderbird $ grep -E "^pkgver|^pkgrel" PKGBUILD; sha256sum PKGBUILD
pkgver=68.2.2
pkgrel=2
f4bced8bf8ba4c8cd0a8efd04d7f63119aa36c14e4776e53cc40186450c74083 PKGBUILD
PKGBUILDs/extra/thunderbird $ tar -Oxf /var/cache/pacman/pkg/thunderbird-68.2.2-2-aarch64.pkg.tar.xz .BUILDINFO | grep sha256sum
pkgbuild_sha256sum = 9d721cfa4ed1d1652006db10b7a287f01ca4e18d8984e879c5e1ee68588dec54
')

which implies that PKGBUILDs are being modified somewhere in the build process, but I can't find the code that does this.

Any ideas? How can I get hold of the PKGBUILDs and associated files that are actually being used for the binary repos?
esotericnonsense
 
Posts: 3
Joined: Sat Nov 16, 2019 7:11 am

Return to Arch Linux ARM

Who is online

Users browsing this forum: No registered users and 9 guests