[Buildroot] Build reproducibility
Peter Korsgaard
jacmet at uclibc.org
Tue Sep 3 06:26:07 UTC 2013
>>>>> "Arnout" == Arnout Vandecappelle <arnout at mind.be> writes:
Hi,
Arnout> What is much more likely to happen is that there is some optional
Arnout> dependency in the package's configure or build system that is not
Arnout> expressed in Config.in or pkg.mk. Most reviewers do not run a
Arnout> configure --help', and even then it is easy to miss something. Since
Arnout> the dependency is optional, the build will not fail either way. Only,
Arnout> when user A builds it, TLS support is included, but when user B builds
Arnout> it, it is not... That's the kind of lack of reproducability we really
Arnout> need to avoid.
Indeed.
Arnout> Note that doing more randomized build order in the autobuilder also
Arnout> will not capture the latter scenario. You would have to compare the
Arnout> build result - but binary differences are likely because of changing
Arnout> timestamps or changing optimizations depending on memory randomness.
Exactly. I don't have any good ideas about how to detect this (besides
building all packages in clean staging dirs, E.G. only populated with
its explicit dependencies like afaik OE lite can do, but that would
require quite some work), anyone?
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list