
NetBSD fully reproducible builds - conductor
https://blog.netbsd.org/tnf/entry/netbsd_fully_reproducible_builds
======
trengrj
Woah. This is something that would cause me to switch over from Linux.

Reproducible builds are so important, they prevent a build server or developer
laptop from being a single point of failure as a tainted build can now be
detected by others.

~~~
maheart
Debian developers have been working on Reproducible Builds for a number of
years[0]. Currently the Debian amd64 distribution is ~93.7% reproducible[1].
It's possible that Debian amd64 systems will be fully reproducible in
Stretch+1 (~2-3 years).

[0]
[https://wiki.debian.org/ReproducibleBuilds](https://wiki.debian.org/ReproducibleBuilds)

[1] [https://tests.reproducible-
builds.org/debian/reproducible.ht...](https://tests.reproducible-
builds.org/debian/reproducible.html)

~~~
gwu78
The Debian wiki page appears to be about reproducible builds for _packages_.

The NetBSD wiki entry is about progress on reproducible builds for _tools,
kernel and userland_.

As for packages, reproducible builds under pkgsrc is still a WIP.

My use of third party binary packages and pkgsrc is minimal but I am
continually building custom kernels and crunched binaries with build.sh and I
do make use of the binary userlands from releng.

For me at least, having reproducible builds for these alone is quite useful.

~~~
throwaway2048
On debian tools, kernel and userland are packages.

~~~
gwu78
I should have guessed. I use their libc6 package for q)k) under /emul/linux
and in the past the live.debian.org images occasionally but that is about as
much as I know about Debian. Apologies for my ignorance.

------
gumby
At Cygnus we had a customer from the telecom industry. They had SLAs with
their own customers that included terms like "no more than 10 minutes of
downtime per decade". They paid a LOT of money to have one, consistent release
(no upgrades, only bug fixes); when they reported a big and got a fix they
would diff the new binary and required that every change could be traced
solely to the patch issued a nothing else.

Satisfying this made GCC a lot better.

------
ysleepy
That is wonderful.

I always dread dealing with build systems, mostly in the C land.

Deterministic behaviour, especially in this rigorous fashion, is probably very
helpful for much more cases than just trust.

This looming assumption that make executes pure functions to produce output
could actually become true. Now it really suffices if make triggers a target
if one of the inputs changed.

~~~
ymse
> Now it really suffices if make triggers a target if one of the inputs
> changed.

This is exactly how Nix and Guix works. If any inputs change, it will force a
rebuild of all dependent packages.

------
theamk
FTR, Debian is like 80% reproducible
[https://wiki.debian.org/ReproducibleBuilds](https://wiki.debian.org/ReproducibleBuilds)

"Reproducible builds of Debian as a whole are still not a reality, though
individual reproducible builds of packages are possible. So while we are
making very good progress, it is a stretch to say that Debian is
reproducible."

In my experience, if you have a single home made package in C it is pretty
easy to make it reproducible

~~~
tachion
It's funny that to prove your argument you're quoting a paragraph that says
exactly otherwise. Not to mention, NetBSD builds are about the OS, that's
kernel, tooling, base and so on, and not about packages, as in Debian's case.

~~~
bcook
As another comment notes, Debian packages the kernel, tooling, base, etc.

------
eriknstr
If author is here, there's a typo in the text. It says "iso6990" but should
say "ISO 9660".

~~~
zoulasc
thanks!

------
hendry
If you care about getting on the Web safely, Webconverger has reproducible
builds at [https://build.webconverger.com/](https://build.webconverger.com/)

------
ksec
Forgive my Ignorance,

OpenBSD - Absolute Security FreeBSD - General purpose

What is NetBSD aiming at?

~~~
smhenderson
Maximum portability... "Of course it runs NetBSD"

From their website: _NetBSD is a free, fast, secure, and highly portable Unix-
like Open Source operating system. It is available for a wide range of
platforms, from large-scale servers and powerful desktop systems to handheld
and embedded devices. Its clean design and advanced features make it excellent
for use in both production and research environments, and the source code is
freely available under a business-friendly license._

------
dolzenko
I know, it's unrelated, but its 2017 and

> Unfortunately this was not easy to find on NetBSD, because we are still
> using CVS as the source control system

seems just weird.

------
jrcii
Of all the great OSes, NetBSD seems to get the least fanfare but it's always
been my favorite. It's fast, secure, and due to a well reasoned architecture
it works on everything. pkgsrc is amazing. They also have a very helpful,
friendly community. It especially warms my heart to run `ps -ax` on a new
install and see all of about 10 processes. The OS feels lean, neat, and
organized, and I feel like I know exactly what is going on, where to find a
given file, etc.

These special strengths -- vast hardware compatibility, rump kernels, now full
reproducible builds, are all enabled by a greater underlying (and seemingly
underrated) technical excellence.

~~~
geff82
Also run "top" on the fresh install to see it uses about 10MB :D . I learned
how to use Unix when I installed and used NetBSD for some years, so for me it
is "Mother-UNIX". It's a pity that general hardware support is not that great
anymore nowadays. But it runs quite well on the Lenovo X240/T440 range of
laptops which can still be had new in some places.

------
sly010
Anyone has a list of what are the typical sources of non-determinism (other
than compiler and automake versions)?

~~~
emaste
There's a fairly comprehensive list at [https://reproducible-
builds.org/docs/](https://reproducible-builds.org/docs/). Debian has a
detailed list of reproducibility issues and affected packages at
[https://tests.reproducible-
builds.org/debian/index_issues.ht...](https://tests.reproducible-
builds.org/debian/index_issues.html)

~~~
ymse
Here's a smørbrødliste:

* Non-isolated build environment. This is just asking for all sorts of trouble (users, hostname, network access, etc).

* File system time stamps.

* Recording times in the build process (although even gcc supports SOURCE_DATE_EPOCH since version 7).

* Usage of CPU-specific instructions, e.g. -march=native to GCC.

