RFR: 8264449: Enable reproducible builds with SOURCE_DATE_EPOCH [v7]
John Neffenger
jgneff at openjdk.org
Mon Jun 20 20:06:06 UTC 2022
On Mon, 20 Jun 2022 08:06:33 GMT, Johan Vos <jvos at openjdk.org> wrote:
> But if we want to have reproducibility amongst ephemeral systems, there is lots of other work to be done.
On the contrary, it's precisely these well-defined ephemeral systems that make it easy to reproducible a build. The only other work to be done is to share the build log.
For example, I build JavaFX in a transient container that installs the latest build of Ubuntu 18.04, the current release of OpenJDK, and the following extra packages: `pkg-config`, `libgtk2.0-dev`, `libxtst-dev`, `libgtk-3-dev`, and `libxxf86vm-dev`. With that information, along with the date, the build script, and the JavaFX release tag, anyone can reproduce the build environment. If we allow for reproducible builds, anyone could reproduce the build and get bit-by-bit identical output.
The Launchpad build farm I use just happens to produce a software bill of materials. Yet even without the official SBOM, the build log itself works just as well. Any complete build log from a transient system can serve as a software bill of materials and allows anyone to reproduce the build even years later.
If parts of your build are proprietary, you could hire someone to verify your build by reproducing it, in the same way you might hire an accountant to audit your business by verifying its financial records. That verification is the best countermeasure against a supply-chain attack, giving you confidence that the packages you release have not been compromised.
> From a previous comment ("The SBOM is the next step ...") I understand that the goal is not reproducibility in any environment though ...
That previous comment on the SBOM was because Kevin was testing on his own permanent, non-transient development workstation where it's difficult to match all the system libraries that affect the output of a build. (Even Kevin wasn't quite sure how his system was different from the transient CI system.) The CI build, though, if it's done in a transient VM or container, will be completely described by its build log, so it's straightforward to reproduce.
There are benefits for the OpenJFX project to have reproducible builds beyond detecting supply-chain attacks. In fact, I think there are still benefits even if it were only possible on the exact same system. Let me know if you need more convincing. 😄
-------------
PR: https://git.openjdk.org/jfx/pull/446
More information about the openjfx-dev
mailing list