Buildroot:ReproducibleBuilds

As part of a Google Summer of Code project, Atharva Lele works on reproducible builds.

Away time
Arnout is away on: 30-31/5; 10/6; some time in July; 15-19/8.

Meetings
Weekly meetings on appear.in/buildroot every Tuesdays at 14:30 UTC.


 * 2019-W20
 * introductions
 * confirm overal actions and planning
 * 2019-W21
 * Confirmed that starting from next week, work is full-time on GSoC (end of exams)
 * Review of the Yocto implementation
 * differences: Yocto is a distribution, so has a cache of the output, while buildroot does not
 * SOURCE_DATE_EPOCH and TZ: already done (depends on BR2_REPRODUCIBLE)
 * Doing similar in Buildroot:
 * Do a first build with a successfull config from autobuilders, after enabling BR2_REPRODUCIBLE
 * Then mv $(O)/target to $(O)/target-1; make clean; make
 * And then run diffoscope target-1 target/
 * Identify diffoscope dependencies to run it in autobuilders (eventually)
 * How to save and present the result on autobuilder site?

Yocto's Implementation

 * Wiki page: Reproducible Builds


 * Shared State Mechanism: If input metadata hashes are same, outputs are reused. If inputs have changed, tools from Reproducible-Builds to be used. Further development yet to be done.
 * At this stage, binary contents should be same. However file timestamps (due to package managers) may be different.
 * Static Timezone value: Bugzilla
 * Adapted SOURCE_DATE_EPOCH: Bugzilla, Source-Date-Epoch - Reproducible Builds
 * Archives generated with deterministic metadata (using archive tools' arguments)
 * Remove non-deterministic data from rootfs


 * Diffoscope data on their shared states: yocto-reproduciblebuilds-data

Planning

 * Week 20: study how yocto does it
 * Week 21: ...
 * Week 22: do two builds in autobuild-run script