hannes/hannes.robur.coop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

mention concrete environment variables

Browse source
This commit is contained in:
Hannes Mehnert 2021-07-05 14:08:50 +02:00
parent 6930bf1d55
commit aa53dbdb8c
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Posts/Deploy
View file

@ -49,7 +49,7 @@ To provide a high level of assurance and trust, if you distribute binaries in 20
For a reproduction to be successful, you need to collect the checksums of all sources that contributed to the built, together with other things (host system packages, environment variables, etc.). Of course, you can record the entire OS and sources as a tarball (or file system snapshot) and distribute that - but this may be suboptimal in terms of bandwidth requirements.
With opam, we already have precise tracking which opam packages are used, and since opam 2.1 the `opam switch export` includes [extra-files (patches)](https://github.com/ocaml/opam/pull/4040) and [records the VCS version](https://github.com/ocaml/opam/pull/4055). Based on this functionality, [orb](https://github.com/roburio/orb), an alternative command line application using the opam-client library, can be used to collect (a) the switch export, (b) host system packages, and (c) the environment variables. Only required environment variables are kept, all others are unset while conducting a build.
With opam, we already have precise tracking which opam packages are used, and since opam 2.1 the `opam switch export` includes [extra-files (patches)](https://github.com/ocaml/opam/pull/4040) and [records the VCS version](https://github.com/ocaml/opam/pull/4055). Based on this functionality, [orb](https://github.com/roburio/orb), an alternative command line application using the opam-client library, can be used to collect (a) the switch export, (b) host system packages, and (c) the environment variables. Only required environment variables are kept, all others are unset while conducting a build. The only required environment variables are `PATH` (sanitized with an allow list, `/bin`, `/sbin`, with `/usr`, `/usr/local`, and `/opt` prefixes), and `HOME`. To enable Debian's `apt` to install packages, `DEBIAN_FRONTEND` is set to `noninteractive`. The `SWITCH_PATH` is recorded to allow orb to use the same path during a rebuild. The `SOURCE_DATE_EPOCH` is set to enable tools that record a timestamp to use a static one. The `OS*` variables are only used for recording the host OS and version.
The goal of reproducible builds can certainly be achieved in several ways, including to store all sources and used executables in a huge tarball (or docker container), which is preserved for rebuilders. The question of minimal trusted computing base and how such a container could be rebuild from sources in reproducible way are open.