-
-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maintain actual CI to confirm reproducibility of roms across distributions #571
Comments
my $0.25. circleci probably has some restrictions or limits that we are hitting. I cant verify since I don't have access to the account.
NB I have built master in a loop for a weekend and never hit any deadlocks etc. |
@osresearch : that would be lovely if fixed. |
An temporary fix for this was introduced by @osresearch here, using a specific docker image to have bootsrapping tools encompassed to make builds faster, while not permitting easy audit boostrapping dependencies upgrades that could break reproducibility. While non-ideal, this works. |
Good news, builds are thought reproducible again since 6b485ed Any people experienced enough to propose better CircleCI and GitlabCI configurations to be in tree so that CircleCI and GitlabCI could automatically build for different hosts (docker images) and boards upon passed environment variables? (CircleCI doc)
The community could then subscribe to Heads project over CircleCI and automatically produce default downloadable board artifacts (x230, qemu) for default host environment (ubuntu), append board ROM sha256sum on osresearch's github release page(if built by osresearch), while other builders CIs could infirm/confirm reproducibility across other docker images for a same commit id+board in some way? |
@osresearch : CI builds are failing again from CircleCI, since they changed their log retention policy, I guess. If you come up with a trick to only output failing logs from build/logs/* (only logs modified in the last 5 seconds shown on screen?) |
@tlaurion @osresearch This temporary fix seems to have broken the CI builds from Gitlab since the januari 15th commit 8e4b109 (musl-cross-make) to Heads. |
Thanks. That url did not work for me, but https://app.circleci.com/pipelines/github/osresearch/heads did |
@osresearch : We still have reproducibility issues on commit ad84c38 on those components: coreboot image differs:
Because of:
Other non-reproducible component:
Edit: librem-hotp-verification is reproducible again since 6916069 |
@osresearch
EDIT: was issue #799 fixed with tlaurion@9d056a0 |
libremkey-hotp-verification issue was fixed under #722 |
Each commit now produces images on: |
@osresearch @BlackMaria @MrChromebox @flammit : First step accomplished:
|
@BlackMaria : How would we make those build systems report their hashes to github for automatic comparison and reproducibility validation? |
@szszszsz : The above points are still missing, while CircleCI still misses a proper checksum statement to validate individual points:
I'm still struggling with GitlabCI with space missing and didn't found a proper way to fix it yet. |
Becoming more urgent to produce ROM images for coreboot 4.12, as seen in #824 and consequentially #825 (comment) @MrChromebox ? @flammit ? |
Fixed with https://github.com/tlaurion/heads/tree/GitlabCI_Fix |
Next steps:
|
from #851
That I understood. The mention of coreboot-4.12 is why I made the suggestion. Apparently there are quirks with automake and aclocal in addition to dependency changes. It may have been easier to start from there instead of through trial and error with the base Debian image.
I am still not sure to what extent the ultimate goal is, if it is for anyone to download the Heads source and compile it expecting the result to be the same hash as the CI builds, I do not think this is possible. Reading through What's in a build environment? on reproducible-builds.org, Although the reproducible-build docs recommend using VMs and containers, I am not saying using a docker container is the solution and am still need to experiment with CircleCI and GitlabCI. |
@tlaurion In addition to |
@tlaurion Just curious, has musl.cc been considered an alternative to compiling |
@Thrilleratplay : The current considered alternatives, by more knowledgeable people then I am are:
The main objective here would be to, IMHO, to distance ourselves the most possible from the host toolchain. For example, even if we use musl-cross-make right now and the abstraction is is supposed to imply, we are still facing kernel reproducibility issues (#734) opened for more then a year after having moved away of musl-cross for musl-cross-make. I am not knowledgeable enough to understand why those changes are coming from, unfortunately. But my intuition is that 1 and 2 are the most desired approaches.
|
@tlaurion Thank you for the detailed answer, it was more than I expected. From my local testing, I can answer a few questions. The I was trying to add @daym showed me how to pull his |
Hurray, CircleCI is able to sustain cache for multiple linux and coreboot versions:
From #867 built https://app.circleci.com/pipelines/github/tlaurion/heads/541/workflows/9d19e4e0-a6ab-4d68-bfa1-f47d61b9b760/jobs/588 and reused https://app.circleci.com/pipelines/github/tlaurion/heads/541/workflows/b191e704-769e-4742-a3af-12fd0a4b7cfe/jobs/589 for the same modules and patches applied. Now if someone has ideas on having the same musl-cross-make cache being downloaded on different docker images to test reproducibility and push to github releases on tags, that would be the next step in the goal of pushing Heads releases to LVFS! |
@Thrilleratplay we see in past CircleCI cache that building a cache, compressing and uploading cache takes a while (16m45), while downloading it is really fast (4m21s). Building all boards without a modules cache takes 3h15m. So each time we touch a module/patchset, rebuilding all boards takes a while but actually produce a cache that then shortens that process to under 30 minutes. This is really big improvement. Building a docker image could be done the same way a cahce is built, when buildstack changes (musl-cross-make or guix-toolstack dependencies) just like in cache. When rebuilding the same modules/patches, we can see here that the build time for each board is reduces at maximum, where it could still be optimized since not everything is considered in the cache right now. For exemple, make and gawk are not cached inside of the musl-cross-make cache, which should probably be added. We see in the first board in line that is being built a build time of 9m22 where subsequent boards builds are just plainly reusing cache (41s, 1m23 etc). So as long as the same modules patches are used (which is normally the case under Heads projects, most of the PR are affecting scripts changes, not mudules nor patches) there won't be any need of rebuilding boards from a clean state, and at least musl-cross-make/guix-toolstack cache would be reused, where at best, the cache for built modules is reused, which now permits to build all boards over CircleCI for a commit under 27minutes! My belief here is that it might be useless to try to create docker images, where caches could definitely be used for that purposes. If we go the path of guix-toolstack, that would be the same principles as understood, where it could be built from scratch (to test reproducibility where guaranteed) or downloaded as a layer prior of simply building boards, with cross compiler settings set in Makefile and other modules being adjusted to use that toolchain. @daym @Thrilleratplay @MrChromebox @osresearch: any advice welcome prior of switching build toolstack or going one direction more then the other. Please read #571 (comment) |
@tlaurion FYI, when trying to get #872 to build, I found that CircleCI config version 2.1 and version 2 have a lot of incompatibilities but could not find a good document outlining how to migrate between them. As one of these how |
@Thrilleratplay : haaaaaa. Will have to check, I had no idea. |
@Thrilleratplay what incompatibilities have you found? |
@tlaurion I stopped at |
Seems like local cli validator might be of help here, while 2.1 is in test right now. Interesting what can be done with orbs. |
@daym your input on improvements and #571 (comment) would be more then welcome! |
@Thrilleratplay @daym This is not the case anymore? How would we replace musl-cross-make here to depend on guix-toolstack from docker? This is exciting. |
@tlaurion Sorry, at the time I was not 100% sure of this and did not want to provide incorrect information. After becoming more comfortable with Guix in Docker, I can confirm that the I will post my current plan in #927. |
I think this is fixed by #1661 |
Reproducible builds CI based on Ubuntu docker are not working for a long while now:
@osresearch
https://circleci.com/gh/osresearch/heads
@nemanjan00
https://gitlab.com/nemanjan00/heads-ci/
Does anyone have a working one?
Fedora-29 based one does work, but lacks hooks to build from master commits:
https://gitlab.com/tlaurion/heads
Any help appreciated in fixing any of those problems!
Sent from my Galaxy S3 using FastHub-Libre
The text was updated successfully, but these errors were encountered: