The reproducible builds project was invited to join the mini DebConf Hamburg sprints and conference part. I attended with the intention to get together to work on Arch Linux reproducible test setup improvements, reproducing more packages and comparing results.
The first improvement was adding JSON status output for Arch Linux and coincidently also OpenSUSE and in the future Alpine the commit can be viewed here. The result was deployed and the Arch Linux JSON results are live.
The next day, I investigated why Arch Linux's kernel is not reproducible. The packaging requires a few changes for partial reproducibility:
export KBUILD_BUILD_HOST="arch" export KBUILD_BUILD_TIMESTAMP=$(date -d@"$SOURCE_DATE_EPOCH" +%Y-%m-%d)
One of the remaining issue is
CONFIG_MODULE_SIG_ALL which signs all kernel modules to allow
loading of only signed kernel modules. If there is no private key specified a
key will be generated which is always non-reproducible. A solution for this
problem hasn't been found, as providing a key in the repository might also be
non-optimal. Apart from this issue, the vmlinuz-linux image is also
non-reproducible which needs to be further investigated.
Further packages where investigated which currently do not reproduce in our test framework.
s-nail due to recording of MAKEFLAGS which is under investigation for fixing.
Plans where made to extend the reproducible builds test framework for Arch Linux and start reproducing real repository packages on the test framework. Pacman was also packaged for Debian inclusion so that it's easier to bootstrap Arch containers/chroots from a Debian install.
A big thanks to all the organizers of mini DebConf Hamburg for organizing the event!