Reproducible builds: are release tarballs a part of it?

Reply: Ed Maste : "Re: Reproducible builds: are release tarballs a part of it?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Pat Maddox <pat_at_patmaddox.com>
Date: Mon, 09 Dec 2024 11:07:37 UTC

I am trying to reproduce https://download.freebsd.org/releases/amd64/14.2-RELEASE/MANIFEST from source. Is that possible?

As part of this effort, I am having trouble reproducing base.txz across any two builds at all - much less the published one.

What I'm seeing is that two successive invocations of `make -s -j20 -DWITH_REPRODUCIBLE_BUILD TZ=UTC PKG_TIMESTAMP=1733729386 packagesystem` will produce tarballs with different checksums, even though when extracted will match mtree cksum. `tar -tf` shows the file list as being in a different order, which I suspect is the reason why. They also have different timestamps.

I would like to be able to clone the repo at REVISION, run make, and produce a matching MANIFEST.

Before I do that, I would like to do two consecutive runs on my local tree and get the same result.

Assuming it's possible, what's the command?

Pat