[OE-core] The state of reproducible Builds

Martin Hundebøll martin at geanix.com
Tue Jul 2 14:32:31 UTC 2019


On 02/07/2019 16.13, Joshua Watt wrote:
>> For detecting malicous binaries not built from the claimed sources 1. is
>> sufficient. For distributions like Debian that build natively this is
>> even the only option available since the host compiler is used.
>> Doing 2. would of course be more desirable, but it can also be done in
>> a second step after all issues related to building on exactly the same
>> host have been sorted out.
> I think there are also other use cases for #2 besides detecting 
> malicious binaries/source code, such as hash equivalence, or even being 
> able use sstate when making a reproducible build. You are correct that 
> this can be done in a second step, but I think that everyone needs to be 
> aware of the limitations that will present when #2 is not present (the 
> main one being that you probably can't make a reproducible build if you 
> use sstate).

Our use case for reproducible builds is to limit delta update sizes. 
I.e. updating one package shouldn;t change the binary output from other 
independent packages.

// Martin

More information about the Openembedded-core mailing list