[OE-core] The state of reproducible Builds

Douglas Royds douglas.royds at taitradio.com
Tue Jul 2 00:43:06 UTC 2019

On 2/07/19 3:58 AM, Joshua Watt wrote:

> 1. Testing RPM and IPK package formats. I think RPMs will be pretty 
> easy; IPKs might be more challenging since AFAIK the tools that make 
> them don't generate reproducible output to begin with.

This has not been my experience. I have been building reproducible ipks, 
indeed, it is the hashsums of the ipks that I've been examining. In most 
cases, the correct SOURCE_DATE_EPOCH is enough, but there have been 
cases where I've had to correct upstream projects to cope with the 
SOURCE_DATE_EPOCH or avoid the effect of differing uname settings.

> 1. HOSTTOOLS differences. There are a lot of tools listed in 
> HOSTTOOLS, and unfortunately some of them have version dependent 
> output and are used for target builds (the one I've currently stumbled 
> upon is pod2man, but I'm sure there are others). Unfortunately, one 
> could probably argue that HOSTTOOLS is somewhat antithetical to the 
> above statement, at least in regard to target builds. Any host tool 
> output that "leaks" into the target build output can result in a 
> non-reproducible build across hosts, and possibly should be avoided; 
> the alternative is to use (or mandate) the corresponding -native 
> recipe that provides that tool as a DEPENDS so that the controlled 
> internally built version is used instead. Note that this only really 
> applies target builds, not -native (or nativesdk right now). -native 
> recipes would obviously need more HOSTTOOLS to help bootstrap the 
> system. I suspect this would require reworking how HOSTOOLS works so 
> that they can be split into two categories somehow; the tools that 
> have "ubiquitous and stable" interfaces and are fine for all recipes 
> (e.g. cat, sed, true, rm, etc.) and those that are variable and should 
> only be used for -native builds (e.g. pod2man, rpcgen(?), chrpath(?), 
> tar(?)... others?). Anyone have thoughts on this?

Perhaps reproducibility is the decision-point for adding a tool to the 
HOSTTOOLS: If the precise version of the tool has no impact on 
reproducibility (eg. cat, sed, and even gawk), it is a good candidate 
for the HOSTTOOLS. pod2man shouldn't be in the HOSTTOOLS, because we 
need to control the version.

More information about the Openembedded-core mailing list