From 8cfbc7123b88dd5b5a2d4a3779acc8f95a28d375 Mon Sep 17 00:00:00 2001 From: Holger Levsen Date: Sun, 18 Oct 2015 18:10:43 +0200 Subject: reproducible archlinux and fedora plans --- TODO | 56 +++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 45 insertions(+), 11 deletions(-) diff --git a/TODO b/TODO index c0e34f05..faa10b24 100644 --- a/TODO +++ b/TODO @@ -131,8 +131,12 @@ properties: ** diffoscope needs to be run on the target arch... (or rather: run on a 64bit architecture for 64bit architectures and on 32bit for 32 bit archs), this should probably be doable with a simple i386 chroot on the host (so using qemu-static to run it on armhf should not be needed, probably.) * higher prio: -** rewrite bin/schroot-create.sh from scratch, with little sudo +** document in the non-debian pages, that we don't have a clear idea yet, how to record+reproduce the build environment and that this is essential for reproducible builds too. +** explain status in plain english on each coreboot/openwrt/netbsd/freebsd page, also on the Debian dashboard plus add an "executive summary about reproducible builds in the free software world" +*** get the content for "

status of $1

" from notes.git/friends.yaml or such +** rewrite bin/schroot-create.sh from scratch, with little sudo. *** analyse+summarize needs, git commit that, then writing the script will be trivial +*** use schroot tarballs (gzipped), moves are atomic then ** notes related: *** #786396: classify issue by "toolchain" or "package" fix needed: show bugs which block a bug *** new page with annoted packages without categorized issues (and probably without bugs as only note content too, else there are too many) @@ -143,8 +147,6 @@ properties: *** new page with packages which ftbfs in testing but build fine on sid ** new page: packages which are orphaned but have a reproducible usertagged patch ** use static IPs (h01ger) -** explain status in plain english on each coreboot/openwrt/netbsd/freebsd page, also on the Debian dashboard plus add an "executive summary about reproducible builds in the free software world" -*** get the content for "

status of $1

" from notes.git/friends.yaml or such ** mattia: .py scripts: UDD or any db connection errors should either be retried or cause an abort (not failure!) of the job ** save build-hosts in build_duration table (and change to saving the time of a single build, not both combined?) ** repo-comparison: check for binaries without source @@ -279,13 +281,44 @@ properties: ==== reproducible Fedora -* use mock to create a fedora chroot to build in +* call the script reproducible_rpms.sh as it can also build OpenSuSE packages +* create jessie schroot with mock and yum installed +** 'groupadd --system mock' +** 'usermod -a -G mock jenkins' +** see below for '/etc/yum/repos.d/' +* then use yumdownloader to download rpms: 'yumdownloader --source sudo' +** https://mirrors.fedoraproject.org/metalink?repo=fedora-23&arch=X86_64 has a list of repos +* then configure+use mock to build: +** 'sudo mock -r fedora-20-x86_64 --init' +** 'sudo mock -r fedora-20-x86_64 sudo-1.8.14p3-1.fc23.src.rpm' + +---- +$ cat /etc/yum/repos.d/fedora23.repo +[fedora23-src] +name=fedora 23 sources +baseurl=http://fedora.mirrors.telekom.ro/pub/fedora/linux/development/23/source/SRPMS +enabled=1 +gpgcheck=0 +#gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +---- + +---- +# releasever=22 or 23 or… basearch=x86_64 +[fedora] +name=Fedora $releasever - $basearch +failovermethod=priority +#baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/ +metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch +enabled=1 +#metadata_expire=7d +gpgcheck=1 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch +skip_if_unavailable=False +---- + +* more notes: ** http://blog.packagecloud.io/eng/2015/05/11/building-rpm-packages-with-mock/ ** http://blog.packagecloud.io/eng/2015/04/20/working-with-source-rpms/ -* start with building a single package (which is reproducible on Debian), only build that one, until its reproducible -** then eventually build the full base system (100-500 packages), once that package is reprodcuible (aka the rpm toolchain has been fixed...) -* maybe call the script reproducible_rpms.sh and also let it build OpenSuSE packages? -* document in the initial webpage, that we don't have a clear idea yet, how to record+reproduce the build environment. +that this is essential for reproducible builds too. ==== reproducible Arch Linux @@ -293,15 +326,16 @@ properties: ** needs to download bootstrap.tar.gz sig and verify * use regular maintenace job to update the arch schroot: 'schroot --directory /tmp -c source:jenkins-reproducible-arch -u root -- pacman -Syu --noconfirm' * arch build.sh: -** introduce variations: USER +** introduce more variations: USER +** confirm the others are really working ** 'makepkg --skippgpcheck' should be replaced by 'makepkg' and 'echo "keyserver-options auto-key-retrieve" >> ~/.gnupg/gpg.conf' *** this should make this obselete: 'schroot --directory /tmp -c source:jenkins-reproducible-arch -- grep ^validpgpkeys= $PKG/PKGBUILD|cut -d "'" -f2|xargs schroot --directory /tmp -c source:jenkins-reproducible-arch -- gpg --recv-keys' * create a working scheduler job +** test 'extra' too ** idea: reschedule reverse build depends too * more random notes: -** patch pacman to create .buildinfo files - or better: wait ** rename arch scripts and jobs to archlinux -*** remember to adop cleanup_schroot_sessions() in common_functions.sh when renaming the schroots +*** remember to adopt cleanup_schroot_sessions() in common_functions.sh when renaming the schroots ** use archlinux.css not the one from freebsd :) *** use arch logo -- cgit v1.2.3-70-g09d2