The reproducible build initiative has been started a long time ago by Debian and has been grown to include more projects. Arch is now also in the process of getting reproducible build support, thanks to the of hard work of Anthraxx, Sangy, and many more volunteers. In pacman git patches where landed to support reproducible builds which will be included in a hopefully soon next stable release! Meanwhile with help of the reproducible-builds.org rebuild infrastructure rebuilds have been started!
Currently 77% of the 17% tested packages are reproducible as can be found here. This page is fed by the work done by two Jenkins builders, which currently build the whole Arch repository. The builder builds the package twice in different environments and then uses diffoscope to find differences in packages. Usually the differences are due to timestamps :-). Now that we have some results of rebuilds, we can start fixing our packages. The work I did so far:
Fixing 404 sources of our packages, some of the source failures where due to ftp://kernel.org being used and not https://www.kernel.org. This has been fixed in SVN. Also old pypi links needed to be fixed
One package’s .install file contained a killall statement, I’m not sure why but it shouldn’t be required so it was eradicated
Integrity mismatch, so upstream did a ninja re-release, annoying but fixed
Imagemagick’s convert sets some metadata in the resized png’s which makes reproducible builds fail. Since it does not adhere to SOURCE_DATE_EPOCH.
Missing checkdepends on pytest-runner, which is automatically downloaded by the build tools but that failed in the reproducible build. Some simply adding the depdency to checkdepends fixed it.
As you can see, only one of the bullet points was really an reproducible build issue the others where packaging issues. So I can conclude that reproducible builds will increase the packaging quality in the Arch repository. Having the packages in our repository always build-able will also help the Arch Linux 32 project.
The Arch reproducible project still needs a lot of work, to make it possible to verify a package build as a user against the repository package.
P.S.: If you are at 34C3 this year and interested, visit the reproducible build assembly.
Reproducible Arch Linux?! was originally published by Jelle van der Waa at Jelly's Blog on November 26, 2017.