You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
pkg-builder's test workflow creates a fresh sbuild chroot from the latest distro repo on each CI run. When packages receive updates (e.g. gcc-12 security fix in bookworm 12.11), the build output changes and verification hashes break.
In eth-nodes, this is handled by saving the chroot tarball as a release asset, so verification rebuilds use the exact same environment.
Proposal
pkg-builder should support pinning the chroot environment in some way, so that pkg-builder env create produces or uses a reproducible environment. Options to consider:
Save and restore chroot tarballs (like eth-nodes does via release assets)
Support Debian snapshot archives (snapshot.debian.org) to pin package versions by date
Record installed package versions in the build output for reproducibility tracking
Summary
pkg-builder's test workflow creates a fresh sbuild chroot from the latest distro repo on each CI run. When packages receive updates (e.g. gcc-12 security fix in bookworm 12.11), the build output changes and verification hashes break.
In eth-nodes, this is handled by saving the chroot tarball as a release asset, so verification rebuilds use the exact same environment.
Proposal
pkg-builder should support pinning the chroot environment in some way, so that
pkg-builder env createproduces or uses a reproducible environment. Options to consider:Context