Independent verification of binary packages - reproducible builds

Last update: Dec 30, 2022

Overview

rebuilderd(1)

Independent verification system of binary packages.

Accessing a rebuilderd instance in your browser
Scripting access to a rebuilderd instance
Running a rebuilderd instance yourself
- Rebuilding Arch Linux (Supported)
- Rebuilding Tails
Development
- Dependencies
Funding
License

rebuilderd monitors the package repository of a linux distribution and uses rebuilder backends like archlinux-repro to verify the provided binary packages can be reproduced from the given source code.

It tracks the state of successfully verified packages and optionally generates a report of differences with diffoscope for debugging. Note that due to the early state of this technology a failed rebuild is more likely due to an undeterministic build process instead of a supply chain compromise, but if multiple rebuilders you trust report 100% reproducible for the set of packages you use you can be confident that the binaries on your system haven't been tampered with. People are encouraged to run their own rebuilders if they can afford to.

Status

	Status	Docker	Doesn't need --privileged	Doesn't need /dev/kvm	Backend
Arch Linux	✔️ supported	❌	-	✔️	archlinux-repro
Debian	🚀 experimental	✔️	❌	✔️	debrebuild.py
Tails	🚀 experimental	❌	-	❌	docs (script)
Alpine	✨ planned	-	-	-	-

Docker: There's a docker-compose example setup in this repository, but not all rebuilder backends support running inside of a docker container (for example because it's creating containers itself).

Doesn't need --privileged: Some rebuilder backends create containers in a way that works inside of a docker container, if they're granted the required kernel capabilities to do so. This may have security implications for other containers running on that system or the code running inside the container may reconfigure the system outside of the docker container.

Doesn't need /dev/kvm: Some build tools may need to start a virtual machine and depend on /dev/kvm to be available. This is a special requirement for the hosting environment, you either need a VPS with Nested KVM or dedicated non-virtualized hardware.

Accessing a rebuilderd instance in your browser

Many instance run a web frontend to display their results. rebuilderd-website is a very good choice and the software powering the Arch Linux rebuilderd instance:

https://reproducible.archlinux.org/

Loading the index of all packages may take a short time.

Scripting access to a rebuilderd instance

It's also possible to query and manage a rebuilderd instance in a scriptable way. It's recommended to install the rebuildctl commandline util to do this (instructions for your system may vary, see packaging status to the right):

pacman -S rebuilderd-tools

You can then query a rebuilderd instance for the status of a specific package:

rebuildctl -H https://reproducible.archlinux.org pkgs ls --name rebuilderd

You have to specify which instance you want to query because there's no definite truth™. You could ask multiple instances though, including one you operate yourself.

If the rebuilder seems to have outdated data or lists a package as unknown the update may still be in the build queue. You can query the build queue of an instance like this:

rebuildctl -H https://reproducible.archlinux.org queue ls --head

If there's no output that means the build queue is empty.

If you're the administrator of this instance you can also run commands like:

rebuildctl status

Or immediately retry all failed rebuild attempts (there's an automatic retry on by default):

rebuildctl pkgs requeue --status BAD --reset

Running a rebuilderd instance yourself

"I compile everything from source" - a significant amount of real world binary packages can already be reproduced today. The more people run rebuilders, the harder it is to compromise all of them.

At the current stage of the project we're interested in every rebuilder there is! Most rebuilderd discussion currently happens in #archlinux-reproducible on libera, feel free to drop by if you're running a instance or considering setting one up. Having a few unreproducible packages is normal (even if it's slightly more than the official rebuilder), but having additional people confirm successful rebuilds is very helpful.

Rebuilding Arch Linux

Please see the setup instructions in the Arch Linux Wiki.

Development with docker

There is a docker-compose setup in the repo, to start a basic stack simply clone the repository and run:

DOCKER_BUILDKIT=1 docker-compose up

The initial build is going to take some time.

To recompile your changes (you can optionally specify a specific image to build):

DOCKER_BUILDKIT=1 docker-compose build

The auth cookie has strict permissions, for development simply change them with:

sudo chmod 0644 secret/auth

Check you can successfully run administrative tasks, use this command to compile and run the rebuildctl binary:

REBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- -v status

There are no packages in the database yet, there's an example profile that we can load. It only contains one lightweight package and should successfully rebuild out-of-the-box in our docker-compose setup.

REBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- pkgs sync-profile --sync-config contrib/confs/rebuilderd-sync.conf debian-anarchism

Check the package was successfully added to the database with status UNKWN:

REBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- pkgs ls

You can display the build queue with this command, it's also going to display a timer for jobs that are currently in progress:

REBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- queue ls --head

You can use a combination of the commands mentioned to monitor your rebuilder. The packages should eventually show up as GOOD in rebuildctl pkgs ls.

Development

If you want to build from source or you want to run rebuilderd built from a specific commit this section contains instructions for that.

A rebuilder consists of the rebuilderd daemon and >= 1 workers:

First we switch into the daemon/ folder and run our rebuilderd daemon:

cd daemon; cargo run

This takes a moment but the api should now be available at https://127.0.0.1:8484/api/v0/dashboard.

This daemon needs to run in the background, so we're starting a new terminal to continue with the next steps.

Next we're going to build the rebuilctl binary and confirm it's able to connect to the api. If we don't get an error message this means it's working.

cd tools; cargo run -- status

We didn't connect any workers yet so this output is empty.

Next we want to connect a rebuilder. rebuilderd only does the scheduling for you, so you need to install additional software here (called a rebuilder backend):

Arch Linux: pacman -S archlinux-repro or git clone https://github.com/archlinux/archlinux-repro && archlinux-repro/ && make && sudo make install. Note that on debian buster you need to install systemd from buster-backports.

With a rebuilder backend installed we're now going to run our first worker:

cd worker; cargo run -- connect http://127.0.0.1:8484

This rebuilder should now show up in our rebuildctl status output:

cd tools; cargo run -- status

Next we're going to import some packages:

cd tools; cargo run -- pkgs sync archlinux community \
    'https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch' \
    --architecture x86_64 --maintainer kpcyrd

The --maintainer option is optional and allows you to rebuild packages by a specific maintainer only.

To show the current status of our imported packages run:

cd tools; cargo run -- pkgs ls

To monitor your workers are picking up tasks:

cd tools; cargo build && CLICOLOR_FORCE=1 watch -c ../target/debug/rebuildctl status

To inspect the queue run:

cd tools; cargo run -- queue ls

An easy way to test the package import is using a command like this:

cargo watch -- cargo run --bin rebuildctl -- pkgs sync-profile --print-json --sync-config contrib/confs/rebuilderd-sync.conf tails

Build a package directly:

cargo run --bin rebuilderd-worker -- \
	build debian 'http://deb.debian.org/debian/pool/main/a/anarchism/anarchism_15.3-3_all.deb' \
	--input-url 'https://buildinfos.debian.net/buildinfo-pool/a/anarchism/anarchism_15.3-3_all.buildinfo' \
	--backend 'debian=./rebuilder-debian.sh'

Dependencies

Debian: pkg-config liblzma-dev libssl-dev libsqlite3-dev libzstd-dev

Funding

Rebuilderd development is currently funded by:

~~kpcyrd's savings account~~
Google and The Linux Foundation
People like you and me on github sponsors

License

GPLv3+

Comments

rebuildctl: smarter endpoint detection?

rebuildctl should look at /etc/rebuilderd.conf for finding an endpoint before falling back to the hardcoded http://127.0.0.1:8080. Currently it only checks the -H arg and a config file in the user's config directory

also would be nice to have endpoint under [http] in the default/example config for discoverability

opened by seankhliao 5
store last modification in JSON output

I'm trying to store the generated files in a database, for that it would be important to know the latest modification. Please offer the date of last change as a unix timestamp, e.g. build_date.
enhancement

opened by aparcar 4
Possibility to provide at archlinux packages as x86_64_v3

Hello,

First thanks for providing such a nice project.

I got a question, i saw youve implemented to provide different march's. But i dont understand the code so far. My goal is to provide a repo which rebuilds several arch packages.

But at the makepkg.conf needs to be set the CARCH="x86_64_v3". Also at the PKGBUILD's its needed to change the arch=(x86_64) to arch=(x86_64_v3). And of course the CFFLAGS and the CXXFLAGS needs to be changed to -v3.

For me its personally the correct way to provide optimized v3 packages. To use this packages the user need to change his pacman.conf to Architectures= x86_64 x86_64_v3, until arch got a solution to provide this natively with pacman, right now they are using uname -m which only gives the x86 architecture out.

I read the code so far but dont get a solution that the packages still synced and compiled with this march.

Regards.

opened by ptr1337 3
Adds small QoL improvments to debian workers
This PR contains the following:

Update from buster to bullseye

Explicitly install mmdebstrap

Use rebuilderd-worker as ENTRYPOINT

Adds a small readme on how to run these containers as single-shot
opened by SantiagoTorres 2

Error when following instructions in rebuilderd readme

Hello! I'm Joy, a student working on the GSoC for in-toto-rs.

I will be continuing Santiago's PR https://github.com/kpcyrd/rebuilderd/pull/22 on adding in-toto link attestations to rebuilderd.

Issue

When I'm replicating the instructions in the readme, I came across an error in this step, which prevents me from continuing.

Afterwards it's time to import some packages:

cd tools; cargo run pkgs sync archlinux community \
    'https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch' \
    --architecture x86_64 --maintainer kpcyrd

I included more context and the logs of the error below. Happy to provide more information! Thanks again :D

When was this issue encountered?

I came across this issue last week, prior to 0.13.0's release. However, 0.13.0 also has this issue on my end.

Branch: main branch, directly from rebuilderd github.

Logs

thread 'main' panicked at 'Cannot drop a runtime in a context where blocking is not allowed. This happens when a runtime is dropped from within an asynchronous context.', /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/blocking/shutdown.rs:51:21
stack backtrace:
   0:     0x55a9e93e0ae0 - std::backtrace_rs::backtrace::libunwind::trace::h63b7a90188ab5fb3
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/../../backtrace/src/backtrace/libunwind.rs:90:5
   1:     0x55a9e93e0ae0 - std::backtrace_rs::backtrace::trace_unsynchronized::h80aefbf9b851eca7
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x55a9e93e0ae0 - std::sys_common::backtrace::_print_fmt::hbef05ae4237a4d72
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/sys_common/backtrace.rs:67:5
   3:     0x55a9e93e0ae0 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h28abce2fdb9884c2
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/sys_common/backtrace.rs:46:22
   4:     0x55a9e940256f - core::fmt::write::h3b84512577ca38a8
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/fmt/mod.rs:1092:17
   5:     0x55a9e93daba2 - std::io::Write::write_fmt::h465f8feea02e2aa1
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/io/mod.rs:1572:15
   6:     0x55a9e93e2c35 - std::sys_common::backtrace::_print::h525280ee0d29bdde
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/sys_common/backtrace.rs:49:5
   7:     0x55a9e93e2c35 - std::sys_common::backtrace::print::h1f0f5b9f3ef8fb78
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/sys_common/backtrace.rs:36:9
   8:     0x55a9e93e2c35 - std::panicking::default_hook::{{closure}}::ha5838f6faa4a5a8f
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:208:50
   9:     0x55a9e93e26e3 - std::panicking::default_hook::hfb9fe98acb0dcb3b
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:225:9
  10:     0x55a9e93e323d - std::panicking::rust_panic_with_hook::hb89f5f19036e6af8
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:591:17
  11:     0x55a9e90fef63 - std::panicking::begin_panic::{{closure}}::h2881e26e65559ec2
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:520:9
  12:     0x55a9e91029a9 - std::sys_common::backtrace::__rust_end_short_backtrace::hf72755a2a94f34f6
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:141:18
  13:     0x55a9e90fee99 - std::panicking::begin_panic::h15c2be904e611030
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:519:12
  14:     0x55a9e908ad79 - tokio::runtime::blocking::shutdown::Receiver::wait::h073c770868e90f61
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/blocking/shutdown.rs:51:21
  15:     0x55a9e906ac26 - tokio::runtime::blocking::pool::BlockingPool::shutdown::h48ac0f5088b38575
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/blocking/pool.rs:145:12
  16:     0x55a9e906b25c - <tokio::runtime::blocking::pool::BlockingPool as core::ops::drop::Drop>::drop::hcd39ceb02f241ef0
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/blocking/pool.rs:162:9
  17:     0x55a9e9085647 - core::ptr::drop_in_place<tokio::runtime::blocking::pool::BlockingPool>::h2e4b52bdd94c6483
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:187:1
  18:     0x55a9e90842f4 - core::ptr::drop_in_place<tokio::runtime::Runtime>::hf9896070b08b0dfa
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:187:1
  19:     0x55a9e8eeebbf - reqwest::blocking::wait::enter::hc01fa312e78d1873
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/wait.rs:76:21
  20:     0x55a9e8eeced0 - reqwest::blocking::wait::timeout::hace97bf1d9b62b1a
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/wait.rs:13:5
  21:     0x55a9e8ed5878 - reqwest::blocking::client::ClientHandle::new::hf73bfebd75d060c6
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/client.rs:920:15
  22:     0x55a9e8ed4faf - reqwest::blocking::client::ClientBuilder::build::h1e141b4c2549f278
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/client.rs:100:9
  23:     0x55a9e8ed504c - reqwest::blocking::client::Client::new::h33cc0a8e5a4b7a59
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/client.rs:722:9
  24:     0x55a9e8a94abc - rebuildctl::schedule::archlinux::sync::hc8ddf85f9c22439c
                               at /home/joy/Projects/GSoC/rebuilderd/tools/src/schedule/archlinux.rs:134:18
  25:     0x55a9e8b04620 - rebuildctl::sync::{{closure}}::hf729556701093bb0
                               at /home/joy/Projects/GSoC/rebuilderd/tools/src/main.rs:40:30
  26:     0x55a9e8b1ef19 - <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll::ha81b80f8cb797f02
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/future/mod.rs:80:19
  27:     0x55a9e8b07088 - rebuildctl::main::{{closure}}::h6fc79775d6d12415
                               at /home/joy/Projects/GSoC/rebuilderd/tools/src/main.rs:102:47
  28:     0x55a9e8b1f419 - <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll::hec27939bc90dd308
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/future/mod.rs:80:19
  29:     0x55a9e8aada60 - tokio::park::thread::CachedParkThread::block_on::{{closure}}::h40ff13b5e13a9663
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/park/thread.rs:263:54
  30:     0x55a9e8aed442 - tokio::coop::with_budget::{{closure}}::h2465c661d042b242
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/coop.rs:106:9
  31:     0x55a9e8b4c4f8 - std::thread::local::LocalKey<T>::try_with::hc54abe921f7fb865
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/local.rs:272:16
  32:     0x55a9e8b4bf9d - std::thread::local::LocalKey<T>::with::h2e983d3c9957a159
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/local.rs:248:9
  33:     0x55a9e8aad7ae - tokio::coop::with_budget::h4d46bd605f376470
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/coop.rs:99:5
  34:     0x55a9e8aad7ae - tokio::coop::budget::hd7d3e51c1c453581
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/coop.rs:76:5
  35:     0x55a9e8aad7ae - tokio::park::thread::CachedParkThread::block_on::hf6d327a8a6864dbf
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/park/thread.rs:263:31
  36:     0x55a9e8aed931 - tokio::runtime::enter::Enter::block_on::h6bdb29a1bea19c71
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/enter.rs:151:13
  37:     0x55a9e8abbb48 - tokio::runtime::thread_pool::ThreadPool::block_on::h600a773b584e89e9
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/thread_pool/mod.rs:71:9
  38:     0x55a9e8abbcb9 - tokio::runtime::Runtime::block_on::h66ac4d89edf27f73
                               at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/mod.rs:452:43
  39:     0x55a9e8b05acb - rebuildctl::main::h0553f01748004dcc
                               at /home/joy/Projects/GSoC/rebuilderd/tools/src/main.rs:293:5
  40:     0x55a9e8ab275b - core::ops::function::FnOnce::call_once::he718fecb5defa377
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
  41:     0x55a9e8b4bd7e - std::sys_common::backtrace::__rust_begin_short_backtrace::h88b3e56f0aae8de1
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
  42:     0x55a9e8ad0601 - std::rt::lang_start::{{closure}}::h757fc01a566eefa4
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:66:18
  43:     0x55a9e93e373a - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h44574effd2120c86
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/ops/function.rs:259:13
  44:     0x55a9e93e373a - std::panicking::try::do_call::h10b0bd4879c8dfb0
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:379:40
  45:     0x55a9e93e373a - std::panicking::try::h60c6780d33419e92
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:343:19
  46:     0x55a9e93e373a - std::panic::catch_unwind::h111f33e08c52e2ce
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panic.rs:431:14
  47:     0x55a9e93e373a - std::rt::lang_start_internal::h126f2e09345dbfda
                               at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/rt.rs:51:25
  48:     0x55a9e8ad05e0 - std::rt::lang_start::hc9f9e1df0ded33aa
                               at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:65:5
  49:     0x55a9e8b0fe8c - main
  50:     0x7f0ffcbf10b3 - __libc_start_main
  51:     0x55a9e8a240ee - _start
  52:                0x0 - <unknown>

opened by joyliu-q 2

Writes can be silently truncated during package download
I recently set up a rebuilderd instance and noticed around 20 packages failing to reproduce, even though the results in build/ are exactly identical to what I can download from the mirror. After examining my logs closely, I noticed that the workers were reporting download sizes smaller then the size of the files on the mirror by a small amount (usually only a few percent). I think I triggered this issue by having a large (relative to the size of the machine) number of workers, which for one reason or another (thread contention?) forced some writes to return partial results, causing the rest of the write buffer to be discarded.

Looking at worker/src/download.rs, I see that we write from the request stream using this loop:

let mut bytes: u64 = 0; while let Some(item) = stream.next().compat().await { let item = item?; bytes += f.write(&item).await? as u64; } info!("Downloaded {} bytes", bytes);

where f is a tokio::fs::File and write is from the trait tokio::io::AsyncWriteExt. This loop assumes that successful writes always write the whole buffer, but the documentation for this method explicitly rejects that:

This function will attempt to write the entire contents of buf, but the entire write may not succeed, or the write may also generate an error. A call to write represents at most one attempt to write to any wrapped object.

Instead there should be a loop like this:

let mut bytes: u64 = 0; while let Some(item) = stream.next().compat().await { let mut item = item?; while !item.is_empty() { let written = f.write(&item).await? as u64; bytes += written; _, item = item.split_at(written); } } info!("Downloaded {} bytes", bytes);

More generally, there should also be some integrity checking on the download, just to ensure that the downloaded package hasn't been corrupted. Otherwise we risk wasting a bunch of time trying to reproduce a package that can't be reproduced.
bug
opened by fergus-dall 2
[email protected]: all builds fail
Due to the introduction of setsid -c in repro (cf. archlinux/archlinux-repro#82 ) and that by default systemd-services don't run in a terminal, by running [email protected] all builds will eventually fail with the following message:

setsid: failed to set the controlling terminal: Inappropriate ioctl for device

I am not sure if this issue can be resolved by simply telling the service to use a tty somehow. As far as I've tested it this results in the referenced bug (ie. first build succeeding, subsequent failing until service is restarted).
opened by stefan0xC 2
Signed rebuild attestations

Right now rebuilders are very informal. They report their status, but a GOOD attestation is not used for anything serious yet. Right now it's sufficient to use the basic security that https provides.

I'm opening this as a tracking issue to collect ideas and thoughts how this should look like in the future.
enhancement

opened by kpcyrd 2
Store build logs or diffoscope html output

Currently it's only possible to investigate why a build was unreproducible by rebuilding it locally and running for example diffoscope. It would be nice to be able to view the build log, results or diffoscope html output via an API call.

opened by jelly 2
Delete orphaned builds in batches

There's a background job for cleanup that's likely looking up the database for extended periods of time:

https://github.com/kpcyrd/rebuilderd/blob/8ff458ff71381db01e1fba8abe01e974c7eacbf4/daemon/src/lib.rs#L36

This could be split up so the select is executed on its own, and the deletes are executed in batches, so each delete locks up the database briefly instead of locking it once for a long time.

opened by kpcyrd 1
Tails signature verification failure

The tails.sh script hardcodes the Tails gpg key, unfortunately, it needs to be refreshed, but since the signing key weights around ~1.5M, it doesn't seem practical to embed it in the script.

Maybe download it with wget https://tails.boum.org/tails-signing.key, import it into gpg, and hack something with git verify-tag?

opened by jvoisin 1
Why woker containers need SYS_ADMIN to deploy

Hi, I noticed that in https://github.com/kpcyrd/rebuilderd/tree/b015d16ea1e37924963c60c7a34ebf0d7d45504f/worker , worker containers need to be run with SYS_ADMIN. However, due to some security concerns, it would be hard for me to deploy with SYS_ADMIN. So I sincerely wonder why SYS_ADMIN is imperative : )

opened by kitaharazy 0

Tails doesn't build anymore :'(

$ rebuildctl pkgs sync-profile --sync-config /etc/rebuilderd-sync.conf tails

[…]

Aug 08 16:03:53 rebuilderd rebuilderd-worker[575]: ==> box: Box file was not detected as metadata. Adding it directly...
Aug 08 16:03:53 rebuilderd rebuilderd-worker[575]: ==> box: Adding box 'tails-builder-amd64-bullseye-20220712-fb05d75887' (v0) for provider:
Aug 08 16:03:53 rebuilderd rebuilderd-worker[575]:     box: Unpacking necessary files from: file:///tmp/tails.uOtKYL/tails/tails-builder-amd64-bullseye-20220712-fb05d75887.box
Aug 08 16:03:56 rebuilderd rebuilderd-worker[575]: [239B blob data]
Aug 08 16:03:57 rebuilderd rebuilderd-worker[575]: Bringing machine 'default' up with 'libvirt' provider...
Aug 08 16:03:57 rebuilderd rebuilderd-worker[575]: ==> default: Uploading base box image as volume into Libvirt storage...
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: [47.9K blob data]
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: [24.4K blob data]
Aug 08 16:03:59 rebuilderd libvirtd[32076]: libvirt version: 8.5.0, package: 1 (Andrea Bolognani <[email protected]> Sun, 17 Jul 2022 17:12:07 +0200)
Aug 08 16:03:59 rebuilderd libvirtd[32076]: hostname: rebuilderd
Aug 08 16:03:59 rebuilderd libvirtd[32076]: storage volume 'apt-cacher-ng-data.qcow2' exists already
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: Error while creating volume for domain: Call to virStorageVolCreateXML failed: storage volume 'apt-cacher-ng-data.qcow2' exists already
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: rake aborted!
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: VagrantCommandError: 'vagrant ["up", "--provision"]' command failed with exit status 1
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:113:in `rescue in run_vagrant'
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:110:in `run_vagrant'
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:702:in `block (2 levels) in <top (required)>'
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /usr/share/rubygems-integration/all/gems/rake-13.0.6/exe/rake:27:in `<top (required)>'
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: Caused by:
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: CommandError: command ["vagrant", "up", "--provision"], {:chdir=>"./vagrant"} failed with exit status 1
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:78:in `run_command'
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:111:in `run_vagrant'
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:702:in `block (2 levels) in <top (required)>'
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /usr/share/rubygems-integration/all/gems/rake-13.0.6/exe/rake:27:in `<top (required)>'
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: Tasks: TOP => build => vm:up
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: (See full trace by running task with --trace)
Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: + rm -rf -- /tmp/tails.uOtKYL
Aug 08 16:04:00 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:00Z INFO  rebuilderd_worker::proc] "/usr/libexec/rebuilderd/rebuilder-tails.sh" exited with exit=exit status: 1, captured 96909 bytes
Aug 08 16:04:00 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:00Z INFO  rebuilderd_worker::rebuild] No output artifact found, marking as BAD: "/tmp/rebuilderdER21h5/out/tails-amd64-5.3.1.img"
Aug 08 16:04:00 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:00Z INFO  rebuilderd_worker::rebuild] No output artifact found, marking as BAD: "/tmp/rebuilderdER21h5/out/tails-amd64-5.3.1.iso"
Aug 08 16:04:00 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:00Z INFO  rebuilderd_worker] Sending build report to rebuilderd...
Aug 08 16:04:00 rebuilderd rebuilderd[578]: [2022-08-08T14:04:00Z INFO  actix_web::middleware::logger] 127.0.0.1:58292 "POST /api/v0/build/report HTTP/1.1" 200 4 "-" "-" 0.050013
Aug 08 16:04:03 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:03Z INFO  rebuilderd_worker] Requesting work from rebuilderd...
Aug 08 16:04:03 rebuilderd rebuilderd[578]: [2022-08-08T14:04:03Z INFO  actix_web::middleware::logger] 127.0.0.1:58292 "POST /api/v0/queue/pop HTTP/1.1" 200 9 "-" "-" 0.000366
Aug 08 16:04:03 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:03Z INFO  rebuilderd_worker] No pending tasks, sleeping for 180s...

opened by jvoisin 1

Do not capture absolute paths in in-toto link metadata

Currently, when rebuilderd records an in-toto link after a successful rebuild, the absolute path of both the input and output packages are recorded. Typically, this looks something like /tmp/rebuilderd<build string>/{inputs,out}/<package file>. This should be replaced with just <package file>, enabling more straightforward artifact rules in in-toto layouts. Since rebuilderd is aware of the build location, it can pass this path to in-toto as a string to be left-stripped.

Related: https://github.com/in-toto/in-toto-rs/issues/12

opened by adityasaky 0
Make workers profile aware or profiles worker aware

I'd like to be able to use some workers exclusively to rebuild selected profiles, for example, Arch Linux's community repository which has significantly more packages than core and extra. This would also allow for more granular control over which underlying host builds which packages. For example, heavier packages like linux*, gcc etc can be in a separate profile, that is always assigned to a host with the necessary resources.

opened by adityasaky 0
Killing builds after timeout doesn't work reliably

Especially on the debian rebuilder builds get frequently stuck during tests and the kill-after-timeout doesn't seem to work reliably.

The code that configures the timeout:

https://github.com/kpcyrd/rebuilderd/blob/9b586829d858ef130ef0a234e7da27020bf01357/worker/src/rebuild.rs#L186-L193

The code that's supposed to kill the process:

https://github.com/kpcyrd/rebuilderd/blob/9b586829d858ef130ef0a234e7da27020bf01357/worker/src/proc.rs#L90-L114

This needs investigation.

opened by kpcyrd 1

Releases(v0.19.0)

v0.19.0(Aug 30, 2022)
Run delete for orphaned builds in chunks

Update in-toto dependency to 0.3.0

Add make install target

Misc bugfixes for Debian, Arch Linux, Tails rebuilds

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.19.0.tar.gz.asc(850 bytes)
v0.18.1(Dec 17, 2021)
Update the tails rebuilder script to set $HOME to a temporary directory. Thanks to @jvoisin for reporting and his help debugging this (#112, #118)

Thanks

We'd like to thank @jvoisin, @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.18.1.tar.gz.asc(850 bytes)
v0.18.0(Dec 15, 2021)
Include error message in unexpected error while rebuilding package #114

Refactor logging so a fatal error is appended to the log instead of replacing it #114

Debian: Use Filename: field for .deb url #115

Make POST body size limit configurable #116

Thanks

We'd like to thank @jvoisin, @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.18.0.tar.gz.asc(850 bytes)
v0.17.0(Dec 12, 2021)
Allow picking a different sync-method than the distro used. This allows reusing the Arch Linux sync code for other pacman-based distributions that might need a different rebuilder backend. #109

Create new process groups for the rebuild and kill the whole group on build timeout instead of just the immediate child process #110, #111 (thanks to @stoeckmann for his help and insight)

Thanks

We'd like to thank @jvoisin, @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.17.0.tar.gz.asc(850 bytes)
v0.16.6(Dec 5, 2021)
Fix rebuildctl queue push using package ids instead of pkgbase ids

Clear next_retry column if all packages are GOOD

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.16.6.tar.gz.asc(850 bytes)
v0.16.5(Dec 3, 2021)
Generate diffoscope from artifact_path, not input_path #102

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.16.5.tar.gz.asc(850 bytes)
v0.16.4(Dec 1, 2021)
Don't send all artifacts when pinging a build, avoids http 413 errors #100

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.16.4.tar.gz.asc(850 bytes)
v0.16.3(Nov 28, 2021)
Add missing runtime dependencies to docker container #92, #93

If attestation failed to generate log a warning but don't error #94, #95, #96

Allow multiple versions of packages in unique constraint #97

Run sync import in database transaction #97

Allow multiple pkgbases with same name and version but different architecture #97

Fix delete performance when removing packages with filters #97

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.16.3.tar.gz.asc(850 bytes)
v0.16.2(Nov 22, 2021)
Switch worker-debian Dockerfile to use debrebuild.py by @fepitre

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.16.2.tar.gz.asc(850 bytes)
v0.16.1(Nov 22, 2021)
Fix a regression in the container image: Revert REBUILDERD_COOKIE_PATH=/secret/auth default - When using rebuildctl from the container image this would always attempt to load the auth cookie from /secret/auth and fail if it doesn't exist, instead of attempting to load the auth cookie from /etc/rebuilderd.conf.

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.16.1.tar.gz.asc(850 bytes)
v0.16.0(Nov 22, 2021)
This release lands build groups, which allows reproducing multiple packages with a single build, if they share a common base (pkgbase in Arch Linux, source package in debian, or a common release number in tails). This reduces the cpu load of running a rebuilder because it's using the resources more efficiently.

Update tails documentation (thanks to @jvoisin)

Important: the build group change impacts the size of the report POST body, both because the build log is submitted multiple times for each package and because each package can have its own diffoscope. If you're using nginx to limit the request body (on by default) please adjust your config accordingly, either by setting a lower size limit in rebuilderd, or allowing larger request bodies in nginx.

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.16.0.tar.gz.asc(850 bytes)
v0.15.0(Oct 16, 2021)
distro field is now an opaque string instead of an enum

url has been renamed to artifact_url in a few places

It's now possible to pass --input-url to support eg. external buildinfo files

/data and /secret are now volumes in the rebuilderd docker image

Avoid double-slash in request if endpoint url ends with slash

Correctly load auth-cookie in rebuildctl pkgs sync-stdin

Breaking changes

The worker config format has been updated, the rebuilder backends now need to be explicitly registered. This may look like this:

[backend."archlinux"] path = "/usr/libexec/rebuilderd/rebuilder-archlinux.sh" [backend."debian"] path = "/usr/libexec/rebuilderd/rebuilder-debian.sh" [backend."tails"] path = "/usr/libexec/rebuilderd/rebuilder-tails.sh"

The url field is now called artifact_url in some api responses, using 0.14.2 rebuildctl and 0.15.0 rebuilderd may not be compatible with each other

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.15.0.tar.gz.asc(850 bytes)
v0.14.2(Sep 26, 2021)
Make stdio-read fixes for #71 more reliable. Shoutout to @stoeckmann and @c3h2_ctf for helping debug this.

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.14.2.tar.gz.asc(850 bytes)
v0.14.1(Sep 26, 2021)
Fix race when reading from stdio and waiting for process to exit. This has (very rarely) caused incomplete logs, diffoscopes, and flaky tests

libsodium is not required anymore since in-toto and the dependency has been removed

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.14.1.tar.gz.asc(850 bytes)
v0.14.0(Sep 21, 2021)
Add in-toto attestation to rebuilderd by @joyliu-q during Google Summer of Code

Add experimental tails support

Add subcommand to download attestation with rebuildctl

Dynamically link zstd

Arch Linux: Detect compression with tree_magic

Change default cpu and io priority of rebuilderd-worker to idle

Fix auth cookie discovery for docker-compose

Bugfixes for the work-in-progress debian setup by @SantiagoTorres

Update debrebuild flag to --buildresults=

Convert blocking reqwest client to async

Breaking changes

The worker keys are automatically regenerated when migrating from 0.13.0 to 0.14.0

Authenticating by the public key alone is not allowed anymore

Thanks

This work was sponsored by Google, The Linux Foundation, and people like you and me! We'd like to thank @SantiagoTorres and @repi in particular for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.14.0.tar.gz.asc(850 bytes)
v0.13.0(Jul 22, 2021)
Track if a diffoscope report is available and publish this info on /api/v0/pkgs/list for the frontend to use

Thanks

This work was sponsored by Google, The Linux Foundation, and people like you and me! We'd like to thank @SantiagoTorres and @repi in particular for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.13.0.tar.gz.asc(850 bytes)
v0.12.0(May 17, 2021)
Automatically garbage collect old builds in a background thread

Add a subcommand to fetch build logs

Add a subcommand to fetch diffoscope

Add pager to log and diffoscope when writing to tty

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.12.0.tar.gz.asc(850 bytes)
v0.11.0(May 16, 2021)
The output directory for repro is now managed by rebuilderd

In preparation for pkgbase aware rebuilds, we now ignore the exit code of the rebuilder backend and instead verify the file written to the outdir is equal to the rebuild input

The ./build/ folders in /var/lib/rebuilderd-worker are now unused and can be deleted

The rebuild artifacts are not stored anymore, only the status and optionally the diffoscope are stored

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.11.0.tar.gz.asc(850 bytes)
v0.10.0(Apr 12, 2021)
Add Last-Modified and If-Modified-Since support for /api/v0/pkgs/list (contributed by @jelly)

Updated dependencies

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.10.0.tar.gz.asc(850 bytes)
v0.9.1(Dec 27, 2020)
Bugfixes

Fix a bug with corrupted downloads if not the whole buffer has been written (#40) - Thanks to @fergus-dall for discovering, analyzing and reporting this bug!

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.9.1.tar.gz.asc(850 bytes)
v0.9.0(Dec 24, 2020)
Introduce pkgbases to the database - this is in preparation to change build scheduling from individual binary packages to the pkgbase and verify all binary outputs with a single build. This release starts to transition existing packages and results. A future release is going to delete all results that haven't been transitioned. Upgrading to v0.9.0 before upgrading to v0.10.0 is recommended. Consider joining #archlinux-reproducible or #rebuilderd on freenode and say hi so we can check in on you for major changes like this.

Fix a bug with any packages not getting retried.

Add a dashboard endpoint designed for high load.

Add rebuildctl pkgs sync-stdin <distro> <suite> to support external package index parsers that output the format used by rebuildctl pkgs sync --print-json.

Change the commandline options for rebuildctl pkgs sync since multiple architectures can be specified now.

Introduce --release and releases = in preparation for debian support.

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.9.0.tar.gz.asc(850 bytes)
v0.8.0(Dec 6, 2020)
Build Logs

Allow configuring the build log size/time limit - this mitigates an issue when the build prints 10's of megabytes of text, exceeding the max post limit. Also, the maximum build time can be configured instead of being hard-coded to 24h.

Introduce an option to disable build output forwarding - By default all build output is written to journald, this is useful for debugging but may slow down certain log queries. You can now choose to disable output passthrough so the build output is only stored in rebuilderd.

Misc

Update default worker config with new [build] section

Add -C as short option for --color

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.8.0.tar.gz.asc(850 bytes)
v0.7.0(Nov 20, 2020)
New diffoscope configuration

Rename gen_diffoscope to diffoscope.enabled

Add an option to add timeout to diffoscope execution (defaults to 1h)

Add an option to truncate diffoscope output to configured number of bytes

Add an option to add custom arguments to diffoscope

Log how many bytes have been captured from diffoscope

Misc

Handle errors that cause a worker exit

Make http client async

Improve rebuilderd-worker logging

Clear build_id when reseting package

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.7.0.tar.gz.asc(850 bytes)
v0.6.0(Nov 8, 2020)
Workers are now capturing and persisting build output

The daemon is now storing and publishing the build logs and diffoscope diffs through the api, /api/v0/builds/{id}/log and /api/v0/builds/{id}/diffoscope, the build_id can be found in rebuildctl pkgs ls --name foo as eg. #123.

Workers can be gracefully restarted by creating an empty file at /var/lib/rebuilderd-worker/$WORKER/rebuilderd.restart.

Rework diffoscope integration

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.6.0.tar.gz.asc(850 bytes)
v0.5.0(Nov 2, 2020)
Reduce sqlite db locking issues

Introduce automatic retries

Introduce queue priorities

Support picking up ip from reverse proxy

Add scheduler integration tests

Automatically abort builds after 24h

Add build time to api reponse

Add cargo-deb configs

Download the package with rust instead of wget

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.5.0.tar.gz.asc(850 bytes)
v0.4.0(Apr 30, 2020)
Use system repro configs and paths. This unblocks multiple rebuilderd-workers on the same host with a recent archlinux-repro

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.4.0.tar.gz.asc(850 bytes)
v0.3.1(Apr 30, 2020)
Fix a bug with rebuildctl queue drop not working correctly

Use regular arch mirror urls for the source in rebuilderd-sync.conf. The old format still works but generates a deprecation warning. The new format looks like: source = "https://ftp.halifax.rwth-aachen.de/archlinux/$repro/os/$arch" #15

Fix a bug that changes in /etc/rebuilderd-worker/*/archlinux-repro/repro.conf are always overwritten

Adding the following line to aboves config now significantly speeds up downloads: export ARCH_ARCHIVE_CACHE=https://cache.rebuilder.fzylab.net/packages

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.3.1.tar.gz.asc(850 bytes)
v0.3.0(Apr 27, 2020)
Important the default port has been changed from 127.0.0.1:8080 to 127.0.0.1:8484 to avoid conflicts

Allow setting auth cookies for multiple endpoints

Man pages for binaries and config files have been added

Don't ignore errors with invalid configs

Set the worker ping interval from 30s to 60s

Automatically restart workers with systemd if they crash

Set some hardening options on the rebuilderd systemd unit

Thanks

We'd like to thank @repi for their support on github sponsors.
Source code(tar.gz)
Source code(zip)
rebuilderd-0.3.0.tar.gz.asc(850 bytes)
v0.2.2(Apr 23, 2020)
Fix a bug with rebuilderd always generating a cookie instead of reading /etc/rebuilderd.conf

If no worker authentication is configured, require admin auth instead of no auth

Add excludes = [] and --exclude to allow blacklisting packages from sync by name

Add glob support to match packages by pattern

Add --color to rebuilctl for colors with watch -c

Add an option for json output in rebuildctl

Improve logging regarding auth cookie

Source code(tar.gz)
Source code(zip)
rebuilderd-0.2.2.tar.gz.asc(850 bytes)
v0.2.1(Apr 22, 2020)

Source code(tar.gz)
Source code(zip)
rebuilderd-0.2.1.tar.gz.asc(850 bytes)