Reproducible builds support

Question

Reproducible builds support

Opened this issue 3 years ago · 3 comments

Does snyth support reproducibly built packages through SOURCE_DATE_EPOCH? If SOURCE_DATE_EPOCH is set to the TIMESTAMP in distinfo when pkg create is called, it should allow for a number of packages to be reproducible.

Answer 1 · 2022-02-24T16:54:03.000Z

I can't find current documentation on SOURCE_DATE_EPOCH. I assume the ports tree sets it under specific circumstances, probably a make.conf variable or the setting of an environment variable. If you tell me how it's done for poudriere, I can likely tell you how to set it on synth too. John

…

On Wed, Feb 23, 2022 at 1:48 PM sometato ***@***.***> wrote: Does snyth support reproducibly built packages through SOURCE_DATE_EPOCH? If SOURCE_DATE_EPOCH is set to the TIMESTAMP in distinfo when pkg create is called, it should allow for a number of packages to be reproducible. — Reply to this email directly, view it on GitHub <#206>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAISZ5SQIKAW4KHH2CDFOQ3U4U2YHANCNFSM5PFLAH4Q> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

Answer 2 · 2022-03-15T17:22:52.000Z

You know, I can't actually find it for Poudriere, either.

I do see it here: https://www.freebsd.org/cgi/man.cgi?pkg-create(8)#end

     SOURCE_DATE_EPOCH
		      Set the timestamp	for every single file in the archive
		      to the one specified in the environment variable

More info here: https://reproducible-builds.org/docs/source-date-epoch/

I would use the timestamp in distinfo to set SOURCE_DATE_EPOCH when calling pkg create, or maybe even before. I wonder though if there's a ports make macro that does this already, and a different environment variable that Poudriere might be setting.

Answer 3 · 2022-10-17T17:53:18.000Z

you could actually have a script update an environment file that synth picks up.
from man page

<profile>-environment
		       This is an optional, user-provided file.	It contains a
		       list of name-value pairs	joins with an equals sign
		       (e.g. HTTP_PROXY=http://proxyserver:8888/), one pair per
		       line.  If the file exists, these	variables will be de-
		       fined in	the builder environment.  For the default pro-
		       file, the file would normally be	located	at
		       /usr/local/etc/synth/LiveSystem-environment

so you can set SOURCE_DATE_EPOCH yourself in that file