[yocto] Yocto & long-term reproducibility of rebuilds
Frans Meulenbroeks
fransmeulenbroeks at gmail.com
Mon Jan 30 10:10:04 PST 2012
2012/1/30 <paul_nathan at selinc.com>
> Hi,
>
> I am investigating Yocto for a build system here. Part of my requirements
> for a build system is auditable/traceable builds that can be replicated
> long into the future (our company has a 10 year warranty on our products,
> and we build products for the multidecade term). Initial examination of
> Yocto shows that it builds packages from a number of different domains
> online, which will not meet our requirements - we'll have to store these
> packages to ensure these packages exist in the correct version long into
> the future. I know we can manually edit the SRC_URI setting in .bb files,
> but the more general problem of package archiving exists.
>
> I am interested in any information or recommendations other users of the
> Yocto system have on how they have solved this sort of design constraint.
>
> - - -
> Regards,
> Paul Nathan
>
> Paul,
My corrent project is still on oe-classic not on yocto, but we also aim for
reproducible builds.
Basically we perform the following steps.
checkout the opembedded repo. We use a specific hash not head as we do not
want unexpected updates
create a tarball of the git tree
build your product
save all files in the downloads dir.
put that on a local ftp mirror, add a premirror for that ftp mirror
rebuild only using that mirror (e.g. disallow your build host to go to
another external system than your ftp mirror.
archive your git tarball and the saved downloads dir
That's it.
Actually you might then also want to put the stuff on your local ftp mirror
as well as the oe tarball on a public ftp site in order to fulfill your GPL
obligations
Good luck!
Frans
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20120130/77c10630/attachment.html>
More information about the yocto
mailing list