Volatile inputs can disappear
Inputs from the network—even if it doesn’t seem like it—are volatile. It’s best to make a build system not rely on remote data.
If it must be the case, then:
- ensure integrity using cryptographic checksums,
- keep backups.
Ideally, a fallback location should be available with the backups.
A good example is how the FreeBSD ports
work. Port descriptions contain a list of
MASTER_SITES,
a list of files to be retrieved in DISTFILES, and a distinfo file with
cryptographic checksums for each of these files. The FreeBSD infrastructure
ensures that a copy of all distfiles are kept available on a mirror
network. When building a port, the files will be downloaded from there if
the original master site is unreachable.
Introduction
Achieve deterministic builds
- SOURCE_DATE_EPOCH
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Value initialization
- Version information
- Timestamps
- Timezones
- Locales
- Archive metadata
- Stable order for outputs
- Randomness
- Build path
- System images
- JVM
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
Distribute the environment
Comparison protocol
Specifications
Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches welcome via our Git repository (instructions) or via our mailing list. • Full contact info
