[PureOS] Bits from PureOS

Chris Lamb chris.lamb at puri.sm
Thu Jul 4 14:00:58 PDT 2019 

Dear Jeremiah,

> In regard to reproducible builds, Chris Lamb and I have been meeting
> regularly to discuss PureOS builds and their reproducibility. 
[…]
> I believe that we'll be able to say that the PureOS ISO is reproducible
> when the builds are byte-for-byte identical.

That is absolutely correct, but I would go further in that I would
underline that is no other definition of "reproducible" from our point
of view.

One remaining "policy" question here is what value we use for the
SOURCE_DATE_EPOCH environment variable:

  https://reproducible-builds.org/docs/source-date-epoch/

As in, a build of the PureOS issue needs to have a single, fixed, date
associated with it. This can be as simple as the date of the relevant
Git commit or tag that was built from but we need to decide on where
it comes from, one way or another.

Then in our test framework or if anyone else wished to reproduce the
same .ISO themselves, we would export that very SOURCE_DATE_EPOCH
value to the environment in all builds of that specific version.

Various tools and utilities that I have already patched upstream to
detect & use that value and it would make a bunch of stuff
immediately reproducible. For example, casper which is — at the time
of writing — is introducing variances between the builds. It would
use that value in its metadata rather than the current date/time etc.

> Well, just a medium length email this time, if they get too long they
> tend to get a bit boring.

Beethoven's second-most famous letter contains the phrase: "only a
few words today and with a pencil" … so you are in good company in
sending shorter messages. What I'm really trying to say here is please
keep sending these mails.

> […] encourage greater use of our mailing list to compliment our chat
> channel and this irregular (but hopefully frequent) email is a
> collection of "bits" in the spirit of a Debian's "Bits from . . . " 

Huzzah! Indeed, this "Debian" thing you refer to sounds like they have
a bunch of good ideas. How can I find out more about it? ;)


Best wishes,

-- 
Chris Lamb
https://puri.sm

More information about the Pureos-project mailing list