On Thu, Mar 20, 2025 at 6:33 AM Zbigniew Jędrzejewski-Szmek <zbys...@in.waw.pl> wrote: > > On Thu, Mar 20, 2025 at 06:23:53AM -0400, Neal Gompa wrote: > > On Thu, Mar 20, 2025 at 4:40 AM Zbigniew Jędrzejewski-Szmek > > <zbys...@in.waw.pl> wrote: > > > > > > On Thu, Mar 20, 2025 at 08:04:57AM +0100, Miroslav Suchý wrote: > > > > Dne 19. 03. 25 v 7:48 odp. Aoife Moloney via devel-announce napsal(a): > > > > > == Scope == > > > > > * Proposal owners: > > > > > ** Package [https://github.com/keszybz/fedora-repro-build > > > > > fedora-repro-build] to allow local rebuilds of historical koji builds > > > > > > > > This > > > > > > > > https://rpm-software-management.github.io/mock/feature-hermetic-builds > > > > > > Yes, thanks for the link. I think this didn't exist when I started working > > > on my script to do rebuilds, so I just gather the rpms reported by koji > > > to have been used for the original build and call 'createrepo_c' on the > > > directory and point mock to that. This works fine… But having support > > > for using a lockfile natively in mock is nice. > > > > > > Though, the process described in that link seems incomplete. > > > > # we want to build this package > > > > srpm=your-package.src.rpm > > > Where does the $srpm come from? The process of creating the srpm from > > > dist-git involves running the spec, i.e. already calling "untrusted" > > > code. How is that part handled? > > > > > > > It's also not *really* hermetic either. Hermetic builds require true > > isolation and there is no Mock backend that provides that right now. > > All it does is let you pre-download the build environment and replay > > it multiple times. Koji can do that too, and yet nobody calls it > > hermetic either because chroots/containers aren't good enough for that. > > OK, so what do you mean by "true isolation" then? > I'd say that once the build in a container with no network access, > that is good enough for me :) >
A microvm, basically. Running as a VM prevents host characteristics from leaking into the build environment and messing things up. It also makes it so some test suites for packages will work correctly without breaking the builder. -- 真実はいつも一つ!/ Always, there's only one truth! -- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
