From owner-freebsd-ports@freebsd.org Thu Jun 16 14:11:13 2016 Return-Path: Delivered-To: freebsd-ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1AC65A47A3B for ; Thu, 16 Jun 2016 14:11:13 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mailman.ysv.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id F213C1012 for ; Thu, 16 Jun 2016 14:11:12 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id EDB47A47A3A; Thu, 16 Jun 2016 14:11:12 +0000 (UTC) Delivered-To: ports@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED563A47A39 for ; Thu, 16 Jun 2016 14:11:12 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C0BB5100F for ; Thu, 16 Jun 2016 14:11:12 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: by mail-io0-x242.google.com with SMTP id 5so6967810ioy.0 for ; Thu, 16 Jun 2016 07:11:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to; bh=D8gTpeXGDvUY1itiOQ+wSg2easat0bsVFcTFERtwxi4=; b=s6YF3D0DirXmPWLxiTDcmxIYO2OaL8kflwRoHIOpfkGOz6u6doQGZM9qGKondvb1fL SOO29ain3SA3g3b2Vr9MzrP3P5WmFD/gf3vGtLDdfxXnMnptZ+yx22qAIVJoIO9ylIKR rTU0nsq76IZ2JUi8YRLt1r1z6QAF2MmPhniL2VGyqZrIPrSmDEeM2WFeG+MKCf5b/zcl Pma5VhnoKwySRNcAkaLkZOV8BSteAStKL1iX1LSq0f25HXYAwh/611pU8yUAU9y0j4ZU yoh2fwU4NE+bpjIPOoSD/dWFHd2HKl3KR0o3WxI7JH+EClWrPJ8PyI/YZV2Ehpgh7Y99 ivyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=D8gTpeXGDvUY1itiOQ+wSg2easat0bsVFcTFERtwxi4=; b=OGIi9kb0Ls3UvIR2M2KLmV3x2GfC2MkzKUuiWYjckLjGZwmsFvfhJ3D6nIPlu2vaNY Mwbg1PLbRuT69AP7NOZke4SxsiO6VjU5zYBKUcLpY5+qKNXXAC0v4oXy0kfhtH6xAk3V tH3WsbyejclVPM0Mwl3oHFt2AauHT4y1BtPkMRvY4WuigFqIYPskncgofL92Jvc+jqN9 YAGnlkGqIH8h4NAxEAZZunKxilN74jlEKUJfEXEVruhdDlwey36gm5HhzrB01/CpvhGC YubnzBQSAbfKixfihd82U4OlvVnso/ZwTteR3yvv6lU67scdeCRwpjs12YCN38eK1gz9 tzAQ== X-Gm-Message-State: ALyK8tLo07f20GFFUnEv0q/ARuAqw3Ud9OCunDPclCHMUMg2Y5J+s3Sx41aCRvVUVCv+GOKfFbvvw324Dx9Qww== X-Received: by 10.107.159.84 with SMTP id i81mr7825705ioe.29.1466086271991; Thu, 16 Jun 2016 07:11:11 -0700 (PDT) MIME-Version: 1.0 Sender: carpeddiem@gmail.com Received: by 10.107.160.202 with HTTP; Thu, 16 Jun 2016 07:10:52 -0700 (PDT) From: Ed Maste Date: Thu, 16 Jun 2016 10:10:52 -0400 X-Google-Sender-Auth: Kf98War4tY4haNp1ULwaCROfneI Message-ID: Subject: Some reproducible builds notes To: ports@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 14:11:13 -0000 I recently presented on "Reproducible Builds in FreeBSD" at BSDCan. For anyone unfamiliar with the topic, from https://reproducible-builds.org/ "Reproducible builds are a set of software development practices which create a verifiable path from human readable source code to the binary code used by computers." In brief, the idea is that building the same binary, software package, document or other binary artifact twice from the same source produces identical output. There's good background information, documentation on making builds reproducible, and links to test results on the reproducible-builds.org site. Many folks have contributed to the reproducible build effort in FreeBSD src and ports over time -- at least a decade. There are many practical benefits of reproducible builds (such as bandwidth and storage savings). However, there's been a growing interest over the last few years in the broad open source and free software community in the topic, coming primarily from a software and toolchain integrity perspective. Over the last few years some Debian folks have been leading a comprehensive and structured reproducible builds effort. bapt@ and I attended the first Reproducible Builds Summit in Athens last year, and I had a talk accepted at BSDCan on it. The BSDCan schedule page for my talk[1] has a link to the slides[2]. I'd like to continue discussing reproducible builds in the FreeBSD context, but for now just want to capture some data from my talk so that it's available for interested maintainers of individual ports who'd like to take a look. I used src r300165 and ports r415464, with a few patches as described in the talk. I've put data from the ports build runs for my talk at [3]. In that directory nonrepro.1.txt contains the set of packages that built nonreproducibly (with a patch set the timestamps in pkg's output). nonrepro.4.txt contains the set of packages that built nonreproducibly with the patch above, SOURCE_DATE_EPOCH set in the build environment, a Clang patch[4] to honour SOURCE_DATE_EPOCH, and a change to make GNU ar default to deterministic archives, since committed as ports r416639. Diffoscope[5] is a tool that attempts to show the differences between two binary artifacts in a concise and human-readable form. It's available in ports as sysutils/py-diffoscope and in the py34-diffoscope package. You can also try it out online[6]. In the diffoscope/ subdirectory[7] I've put the output for most of the nonreproducible packages. (Some packages[8] are excluded because of excessive diffoscope runtime.) [1] http://www.bsdcan.org/2016/schedule/events/714.en.html [2] http://www.bsdcan.org/2016/schedule/attachments/375_2016-06-11-BSDCan-2016-Reproducible-Builds.pdf [3] https://people.freebsd.org/~emaste/reproducible-builds/iteration-1/ [4] http://reviews.llvm.org/D20791 [5] https://diffoscope.org/ [6] https://try.diffoscope.org/ [7] https://people.freebsd.org/~emaste/reproducible-builds/iteration-1/diffoscope/ [8] https://people.freebsd.org/~emaste/reproducible-builds/iteration-1/excessive-diffoscope-runtime.txt