From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6558372643829972992 X-Received: by 2002:a19:8fc6:: with SMTP id s67-v6mr825383lfk.10.1528112895946; Mon, 04 Jun 2018 04:48:15 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:8087:: with SMTP id i7-v6ls2174350ljg.7.gmail; Mon, 04 Jun 2018 04:48:15 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJaH4wmnIR2UHchKCIlDduAXNbu68xHvsYGRaD+wEpusjn5udtie4nU5qB6VqU4WO+u26Tl X-Received: by 2002:a2e:21da:: with SMTP id h87-v6mr1126932lji.21.1528112895549; Mon, 04 Jun 2018 04:48:15 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528112895; cv=none; d=google.com; s=arc-20160816; b=aih1OVbbtfXkrzliTX7uoDheTYI3TUeC7jJovA/9l9FlnNvy9GfuOfgT1worDl2MJy fK+rDZypdM7EAowbOKCWQzLw9CwZoIOBote2nSCZFDfZJfXqWBr+fupe294AVLrbdBrd mLU+9JXCsOLq44k8nAA8yfWkqNMB0Kqr2QMgVjgpUbuOc9FwQmHROdVROiEtRAndKYvI xy8SDZ3BPeLIN8Fw0EzOe/jOORlckR5/0qFjTnhXP9fkl/VqQhX0uHrIhh/KEE+poEvL L/WJ+Zvv5GD239grUUhWq63nu8dGHnEJWg90agsqUk/Q3Df3JZscZ4idVMIUuXAXrNk0 T96A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=user-agent:in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:to:from:date :arc-authentication-results; bh=gri+gZHBPp9aqmG1aFFnOsv+piTHzpfxxlDlqN9laQY=; b=suMpFBn4qS0zn+vd1JD4tr5vx4Ua4d6CHo41sbosMdI1/gW6VEiORCWql91CFHP58r NkcTURc/Xhka1z1xsyD35ZEf0SFUcbHKtMIEFkJ0MRp/ifpSoJct1/aM1v8Z8LYdvmNr gHth2UnMojDMNQ/YYbvafYUvbXnSJlwd6FhzX0hSoMAAlkwUgo5YgGV+VNC34TPn5vpf ZJGBMr9eREt9dUR+UTZgvDJWoqylXNPB8euBlc5D/EZnbtUs9p5tKicsw6uMuZx8ygpj 5+9OLHL00CG7m9BwxEwdOMxqYEZPHVYMpxJB9yOjvh6pyzi1O35eiQ+MWLLFDjgAFfOV U1MQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=neutral (google.com: 85.214.62.211 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net Return-Path: Received: from aqmola.ilbers.de (aqmola.ilbers.de. [85.214.62.211]) by gmr-mx.google.com with ESMTPS id y2-v6si25860lfi.5.2018.06.04.04.48.15 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 Jun 2018 04:48:15 -0700 (PDT) Received-SPF: neutral (google.com: 85.214.62.211 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) client-ip=85.214.62.211; Authentication-Results: gmr-mx.google.com; spf=neutral (google.com: 85.214.62.211 is neither permitted nor denied by best guess record for domain of ibr@radix50.net) smtp.mailfrom=ibr@radix50.net Received: from yssyq.radix50.net (host-80-81-17-52.static.customer.m-online.net [80.81.17.52]) (authenticated bits=0) by aqmola.ilbers.de (8.14.4/8.14.4/Debian-4+deb7u1) with ESMTP id w54BmDR5028741 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 4 Jun 2018 13:48:14 +0200 Received: from yssyq.radix50.net (localhost [127.0.0.1]) by yssyq.radix50.net (8.14.4/8.14.4/Debian-8) with ESMTP id w54BmC3K017056 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 4 Jun 2018 13:48:12 +0200 Received: (from ibr@localhost) by yssyq.radix50.net (8.14.4/8.14.4/Submit) id w54BmCdG017055 for isar-users@googlegroups.com; Mon, 4 Jun 2018 13:48:12 +0200 Date: Mon, 4 Jun 2018 13:48:12 +0200 From: Baurzhan Ismagulov To: isar-users Subject: Re: Idea for implementing reproducible builds Message-ID: <20180604114812.GE5657@yssyq.radix50.net> Mail-Followup-To: isar-users References: <3467a5ec-182e-8c9a-cd19-7ad898323be7@siemens.com> <20180522223224.GE5882@yssyq.radix50.net> <89f104dc-f192-8364-92f2-1345ea11207c@siemens.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <89f104dc-f192-8364-92f2-1345ea11207c@siemens.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-TUID: WlZNX2MHCY25 On Wed, May 23, 2018 at 10:22:10AM +0200, Claudius Heine wrote: > The tarfile has to be versioned outside of the repo, since there is a > 1-to-many relationship between the source repo commit and the tarball. > > For instance openssl updates would not necessarly mean a new change to the > repo, just a new build. This is why I'd like to see user docs to understand your intended use case. What should be the names of the tarballs (just one simple example how it could work)? How would you tell the repo to use the new tarball? > >U3.1. debian-mirror exists. Update all packages from upstream into > > debian-mirror. > > Why is that needed? For updating debian-mirror completely. > You could just delete the debian-mirror and then it is recreated with the > current upstream anyway. That answers my question and is ok with me for the first step. > >U3.4. Remove packages not used in any previous commit. > > I am currently not sure what you mean by that. Why would there be packages > that aren't used in any previous commits? Bad wording, I meant just "remove unused packages". > I look into this and came up with some difficulties when using an > alternative debian-mirror repo that is generated from the used packages: > > 1. You need to change the apt repo urls. Yes multiple ones since we > support multi-repos in isar. How are we handling this? Are we > throwing stuff from different repos togehter? Or are we creating > multiple locale repos for every used repo and then set them back > later? Both solutions can cause (un)expected problems. > How are we dealing with updates from upstream then? As answered in the other mail, you could proceed just as now, with separate package dirs. Managing a single dir would be better. Package dirs solve those problems as well as tarballs. > 2. How are we installing additional packages that are currently not > part of the debian-mirror? If its just a different repo those > packages would not be part of the package index, so those > packages would not be available. Which additional packages do you have in mind? If hello and friends, the current installation way should not be changed in this step. If you mean updating debian-mirror, for now e.g. just delete and start from scratch, as with tarballs, till we have something that is better. > If its a complete mirror of the repos, then it contains many packages > that aren't needed. No, not complete mirrors, just the packages we need from Debian. With kind regards, Baurzhan.