Independent verification of binary packages - reproducible builds

Overview

rebuilderd(1) crates.io cncf slack irc.libera.chat:6697/#archlinux-reproducible

Independent verification system of binary packages.

rebuildctl pkgs ls example output

rebuilderd monitors the package repository of a linux distribution and uses rebuilder backends like archlinux-repro to verify the provided binary packages can be reproduced from the given source code.

It tracks the state of successfully verified packages and optionally generates a report of differences with diffoscope for debugging. Note that due to the early state of this technology a failed rebuild is more likely due to an undeterministic build process instead of a supply chain compromise, but if multiple rebuilders you trust report 100% reproducible for the set of packages you use you can be confident that the binaries on your system haven't been tampered with. People are encouraged to run their own rebuilders if they can afford to.

Status

Status Docker Doesn't need --privileged Doesn't need /dev/kvm Backend
Arch Linux ✔️ supported - ✔️ archlinux-repro
Debian 🚀 experimental ✔️ ✔️ debrebuild.py
Tails 🚀 experimental - docs (script)
Alpine planned - - - -

Docker: There's a docker-compose example setup in this repository, but not all rebuilder backends support running inside of a docker container (for example because it's creating containers itself).

Doesn't need --privileged: Some rebuilder backends create containers in a way that works inside of a docker container, if they're granted the required kernel capabilities to do so. This may have security implications for other containers running on that system or the code running inside the container may reconfigure the system outside of the docker container.

Doesn't need /dev/kvm: Some build tools may need to start a virtual machine and depend on /dev/kvm to be available. This is a special requirement for the hosting environment, you either need a VPS with Nested KVM or dedicated non-virtualized hardware.

Accessing a rebuilderd instance in your browser

Many instance run a web frontend to display their results. rebuilderd-website is a very good choice and the software powering the Arch Linux rebuilderd instance:

https://reproducible.archlinux.org/

Loading the index of all packages may take a short time.

Scripting access to a rebuilderd instance

Packaging status

It's also possible to query and manage a rebuilderd instance in a scriptable way. It's recommended to install the rebuildctl commandline util to do this (instructions for your system may vary, see packaging status to the right):

pacman -S rebuilderd-tools

You can then query a rebuilderd instance for the status of a specific package:

rebuildctl -H https://reproducible.archlinux.org pkgs ls --name rebuilderd

You have to specify which instance you want to query because there's no definite truth™. You could ask multiple instances though, including one you operate yourself.

If the rebuilder seems to have outdated data or lists a package as unknown the update may still be in the build queue. You can query the build queue of an instance like this:

rebuildctl -H https://reproducible.archlinux.org queue ls --head

If there's no output that means the build queue is empty.

If you're the administrator of this instance you can also run commands like:

rebuildctl status

Or immediately retry all failed rebuild attempts (there's an automatic retry on by default):

rebuildctl pkgs requeue --status BAD --reset

Running a rebuilderd instance yourself

journalctl output of a rebuilderd-worker

"I compile everything from source" - a significant amount of real world binary packages can already be reproduced today. The more people run rebuilders, the harder it is to compromise all of them.

At the current stage of the project we're interested in every rebuilder there is! Most rebuilderd discussion currently happens in #archlinux-reproducible on libera, feel free to drop by if you're running a instance or considering setting one up. Having a few unreproducible packages is normal (even if it's slightly more than the official rebuilder), but having additional people confirm successful rebuilds is very helpful.

Rebuilding Arch Linux

Please see the setup instructions in the Arch Linux Wiki.

Development with docker

There is a docker-compose setup in the repo, to start a basic stack simply clone the repository and run:

DOCKER_BUILDKIT=1 docker-compose up

The initial build is going to take some time.

To recompile your changes (you can optionally specify a specific image to build):

DOCKER_BUILDKIT=1 docker-compose build

The auth cookie has strict permissions, for development simply change them with:

sudo chmod 0644 secret/auth

Check you can successfully run administrative tasks, use this command to compile and run the rebuildctl binary:

REBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- -v status

There are no packages in the database yet, there's an example profile that we can load. It only contains one lightweight package and should successfully rebuild out-of-the-box in our docker-compose setup.

REBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- pkgs sync-profile --sync-config contrib/confs/rebuilderd-sync.conf debian-anarchism

Check the package was successfully added to the database with status UNKWN:

REBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- pkgs ls

You can display the build queue with this command, it's also going to display a timer for jobs that are currently in progress:

REBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- queue ls --head

You can use a combination of the commands mentioned to monitor your rebuilder. The packages should eventually show up as GOOD in rebuildctl pkgs ls.

Development

If you want to build from source or you want to run rebuilderd built from a specific commit this section contains instructions for that.

A rebuilder consists of the rebuilderd daemon and >= 1 workers:

First we switch into the daemon/ folder and run our rebuilderd daemon:

cd daemon; cargo run

This takes a moment but the api should now be available at https://127.0.0.1:8484/api/v0/dashboard.

This daemon needs to run in the background, so we're starting a new terminal to continue with the next steps.

Next we're going to build the rebuilctl binary and confirm it's able to connect to the api. If we don't get an error message this means it's working.

cd tools; cargo run -- status

We didn't connect any workers yet so this output is empty.

Next we want to connect a rebuilder. rebuilderd only does the scheduling for you, so you need to install additional software here (called a rebuilder backend):

  • Arch Linux: pacman -S archlinux-repro or git clone https://github.com/archlinux/archlinux-repro && archlinux-repro/ && make && sudo make install. Note that on debian buster you need to install systemd from buster-backports.

With a rebuilder backend installed we're now going to run our first worker:

cd worker; cargo run -- connect http://127.0.0.1:8484

This rebuilder should now show up in our rebuildctl status output:

cd tools; cargo run -- status

Next we're going to import some packages:

cd tools; cargo run -- pkgs sync archlinux community \
    'https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch' \
    --architecture x86_64 --maintainer kpcyrd

The --maintainer option is optional and allows you to rebuild packages by a specific maintainer only.

To show the current status of our imported packages run:

cd tools; cargo run -- pkgs ls

To monitor your workers are picking up tasks:

cd tools; cargo build && CLICOLOR_FORCE=1 watch -c ../target/debug/rebuildctl status

To inspect the queue run:

cd tools; cargo run -- queue ls

An easy way to test the package import is using a command like this:

cargo watch -- cargo run --bin rebuildctl -- pkgs sync-profile --print-json --sync-config contrib/confs/rebuilderd-sync.conf tails

Build a package directly:

cargo run --bin rebuilderd-worker -- \
	build debian 'http://deb.debian.org/debian/pool/main/a/anarchism/anarchism_15.3-3_all.deb' \
	--input-url 'https://buildinfos.debian.net/buildinfo-pool/a/anarchism/anarchism_15.3-3_all.buildinfo' \
	--backend 'debian=./rebuilder-debian.sh'

Dependencies

Debian: pkg-config liblzma-dev libssl-dev libsqlite3-dev libzstd-dev

Funding

Rebuilderd development is currently funded by:

  • kpcyrd's savings account
  • Google and The Linux Foundation
  • People like you and me on github sponsors

License

GPLv3+

Comments
  • rebuildctl: smarter endpoint detection?

    rebuildctl: smarter endpoint detection?

    rebuildctl should look at /etc/rebuilderd.conf for finding an endpoint before falling back to the hardcoded http://127.0.0.1:8080. Currently it only checks the -H arg and a config file in the user's config directory

    also would be nice to have endpoint under [http] in the default/example config for discoverability

    opened by seankhliao 5
  • store last modification in JSON output

    store last modification in JSON output

    I'm trying to store the generated files in a database, for that it would be important to know the latest modification. Please offer the date of last change as a unix timestamp, e.g. build_date.

    enhancement 
    opened by aparcar 4
  • Possibility to provide at archlinux packages as x86_64_v3

    Possibility to provide at archlinux packages as x86_64_v3

    Hello,

    First thanks for providing such a nice project.

    I got a question, i saw youve implemented to provide different march's. But i dont understand the code so far. My goal is to provide a repo which rebuilds several arch packages.

    But at the makepkg.conf needs to be set the CARCH="x86_64_v3". Also at the PKGBUILD's its needed to change the arch=(x86_64) to arch=(x86_64_v3). And of course the CFFLAGS and the CXXFLAGS needs to be changed to -v3.

    For me its personally the correct way to provide optimized v3 packages. To use this packages the user need to change his pacman.conf to Architectures= x86_64 x86_64_v3, until arch got a solution to provide this natively with pacman, right now they are using uname -m which only gives the x86 architecture out.

    I read the code so far but dont get a solution that the packages still synced and compiled with this march.

    Regards.

    opened by ptr1337 3
  • Adds small QoL improvments to debian workers

    Adds small QoL improvments to debian workers

    This PR contains the following:

    1. Update from buster to bullseye
    2. Explicitly install mmdebstrap
    3. Use rebuilderd-worker as ENTRYPOINT
    4. Adds a small readme on how to run these containers as single-shot
    opened by SantiagoTorres 2
  • Error when following instructions in rebuilderd readme

    Error when following instructions in rebuilderd readme

    Hello! I'm Joy, a student working on the GSoC for in-toto-rs.

    I will be continuing Santiago's PR https://github.com/kpcyrd/rebuilderd/pull/22 on adding in-toto link attestations to rebuilderd.

    Issue

    When I'm replicating the instructions in the readme, I came across an error in this step, which prevents me from continuing.

    Afterwards it's time to import some packages:

    cd tools; cargo run pkgs sync archlinux community \
        'https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch' \
        --architecture x86_64 --maintainer kpcyrd
    

    I included more context and the logs of the error below. Happy to provide more information! Thanks again :D

    When was this issue encountered?

    I came across this issue last week, prior to 0.13.0's release. However, 0.13.0 also has this issue on my end.

    • Branch: main branch, directly from rebuilderd github.

    Logs

    thread 'main' panicked at 'Cannot drop a runtime in a context where blocking is not allowed. This happens when a runtime is dropped from within an asynchronous context.', /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/blocking/shutdown.rs:51:21
    stack backtrace:
       0:     0x55a9e93e0ae0 - std::backtrace_rs::backtrace::libunwind::trace::h63b7a90188ab5fb3
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/../../backtrace/src/backtrace/libunwind.rs:90:5
       1:     0x55a9e93e0ae0 - std::backtrace_rs::backtrace::trace_unsynchronized::h80aefbf9b851eca7
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
       2:     0x55a9e93e0ae0 - std::sys_common::backtrace::_print_fmt::hbef05ae4237a4d72
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/sys_common/backtrace.rs:67:5
       3:     0x55a9e93e0ae0 - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h28abce2fdb9884c2
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/sys_common/backtrace.rs:46:22
       4:     0x55a9e940256f - core::fmt::write::h3b84512577ca38a8
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/fmt/mod.rs:1092:17
       5:     0x55a9e93daba2 - std::io::Write::write_fmt::h465f8feea02e2aa1
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/io/mod.rs:1572:15
       6:     0x55a9e93e2c35 - std::sys_common::backtrace::_print::h525280ee0d29bdde
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/sys_common/backtrace.rs:49:5
       7:     0x55a9e93e2c35 - std::sys_common::backtrace::print::h1f0f5b9f3ef8fb78
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/sys_common/backtrace.rs:36:9
       8:     0x55a9e93e2c35 - std::panicking::default_hook::{{closure}}::ha5838f6faa4a5a8f
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:208:50
       9:     0x55a9e93e26e3 - std::panicking::default_hook::hfb9fe98acb0dcb3b
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:225:9
      10:     0x55a9e93e323d - std::panicking::rust_panic_with_hook::hb89f5f19036e6af8
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:591:17
      11:     0x55a9e90fef63 - std::panicking::begin_panic::{{closure}}::h2881e26e65559ec2
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:520:9
      12:     0x55a9e91029a9 - std::sys_common::backtrace::__rust_end_short_backtrace::hf72755a2a94f34f6
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:141:18
      13:     0x55a9e90fee99 - std::panicking::begin_panic::h15c2be904e611030
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:519:12
      14:     0x55a9e908ad79 - tokio::runtime::blocking::shutdown::Receiver::wait::h073c770868e90f61
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/blocking/shutdown.rs:51:21
      15:     0x55a9e906ac26 - tokio::runtime::blocking::pool::BlockingPool::shutdown::h48ac0f5088b38575
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/blocking/pool.rs:145:12
      16:     0x55a9e906b25c - <tokio::runtime::blocking::pool::BlockingPool as core::ops::drop::Drop>::drop::hcd39ceb02f241ef0
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/blocking/pool.rs:162:9
      17:     0x55a9e9085647 - core::ptr::drop_in_place<tokio::runtime::blocking::pool::BlockingPool>::h2e4b52bdd94c6483
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:187:1
      18:     0x55a9e90842f4 - core::ptr::drop_in_place<tokio::runtime::Runtime>::hf9896070b08b0dfa
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:187:1
      19:     0x55a9e8eeebbf - reqwest::blocking::wait::enter::hc01fa312e78d1873
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/wait.rs:76:21
      20:     0x55a9e8eeced0 - reqwest::blocking::wait::timeout::hace97bf1d9b62b1a
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/wait.rs:13:5
      21:     0x55a9e8ed5878 - reqwest::blocking::client::ClientHandle::new::hf73bfebd75d060c6
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/client.rs:920:15
      22:     0x55a9e8ed4faf - reqwest::blocking::client::ClientBuilder::build::h1e141b4c2549f278
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/client.rs:100:9
      23:     0x55a9e8ed504c - reqwest::blocking::client::Client::new::h33cc0a8e5a4b7a59
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/reqwest-0.11.4/src/blocking/client.rs:722:9
      24:     0x55a9e8a94abc - rebuildctl::schedule::archlinux::sync::hc8ddf85f9c22439c
                                   at /home/joy/Projects/GSoC/rebuilderd/tools/src/schedule/archlinux.rs:134:18
      25:     0x55a9e8b04620 - rebuildctl::sync::{{closure}}::hf729556701093bb0
                                   at /home/joy/Projects/GSoC/rebuilderd/tools/src/main.rs:40:30
      26:     0x55a9e8b1ef19 - <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll::ha81b80f8cb797f02
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/future/mod.rs:80:19
      27:     0x55a9e8b07088 - rebuildctl::main::{{closure}}::h6fc79775d6d12415
                                   at /home/joy/Projects/GSoC/rebuilderd/tools/src/main.rs:102:47
      28:     0x55a9e8b1f419 - <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll::hec27939bc90dd308
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/future/mod.rs:80:19
      29:     0x55a9e8aada60 - tokio::park::thread::CachedParkThread::block_on::{{closure}}::h40ff13b5e13a9663
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/park/thread.rs:263:54
      30:     0x55a9e8aed442 - tokio::coop::with_budget::{{closure}}::h2465c661d042b242
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/coop.rs:106:9
      31:     0x55a9e8b4c4f8 - std::thread::local::LocalKey<T>::try_with::hc54abe921f7fb865
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/local.rs:272:16
      32:     0x55a9e8b4bf9d - std::thread::local::LocalKey<T>::with::h2e983d3c9957a159
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/thread/local.rs:248:9
      33:     0x55a9e8aad7ae - tokio::coop::with_budget::h4d46bd605f376470
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/coop.rs:99:5
      34:     0x55a9e8aad7ae - tokio::coop::budget::hd7d3e51c1c453581
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/coop.rs:76:5
      35:     0x55a9e8aad7ae - tokio::park::thread::CachedParkThread::block_on::hf6d327a8a6864dbf
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/park/thread.rs:263:31
      36:     0x55a9e8aed931 - tokio::runtime::enter::Enter::block_on::h6bdb29a1bea19c71
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/enter.rs:151:13
      37:     0x55a9e8abbb48 - tokio::runtime::thread_pool::ThreadPool::block_on::h600a773b584e89e9
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/thread_pool/mod.rs:71:9
      38:     0x55a9e8abbcb9 - tokio::runtime::Runtime::block_on::h66ac4d89edf27f73
                                   at /home/joy/.cargo/registry/src/github.com-1ecc6299db9ec823/tokio-1.8.2/src/runtime/mod.rs:452:43
      39:     0x55a9e8b05acb - rebuildctl::main::h0553f01748004dcc
                                   at /home/joy/Projects/GSoC/rebuilderd/tools/src/main.rs:293:5
      40:     0x55a9e8ab275b - core::ops::function::FnOnce::call_once::he718fecb5defa377
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:227:5
      41:     0x55a9e8b4bd7e - std::sys_common::backtrace::__rust_begin_short_backtrace::h88b3e56f0aae8de1
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys_common/backtrace.rs:125:18
      42:     0x55a9e8ad0601 - std::rt::lang_start::{{closure}}::h757fc01a566eefa4
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:66:18
      43:     0x55a9e93e373a - core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once::h44574effd2120c86
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/core/src/ops/function.rs:259:13
      44:     0x55a9e93e373a - std::panicking::try::do_call::h10b0bd4879c8dfb0
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:379:40
      45:     0x55a9e93e373a - std::panicking::try::h60c6780d33419e92
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panicking.rs:343:19
      46:     0x55a9e93e373a - std::panic::catch_unwind::h111f33e08c52e2ce
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/panic.rs:431:14
      47:     0x55a9e93e373a - std::rt::lang_start_internal::h126f2e09345dbfda
                                   at /rustc/9bc8c42bb2f19e745a63f3445f1ac248fb015e53/library/std/src/rt.rs:51:25
      48:     0x55a9e8ad05e0 - std::rt::lang_start::hc9f9e1df0ded33aa
                                   at /home/joy/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:65:5
      49:     0x55a9e8b0fe8c - main
      50:     0x7f0ffcbf10b3 - __libc_start_main
      51:     0x55a9e8a240ee - _start
      52:                0x0 - <unknown>
    
    opened by joyliu-q 2
  • Writes can be silently truncated during package download

    Writes can be silently truncated during package download

    I recently set up a rebuilderd instance and noticed around 20 packages failing to reproduce, even though the results in build/ are exactly identical to what I can download from the mirror. After examining my logs closely, I noticed that the workers were reporting download sizes smaller then the size of the files on the mirror by a small amount (usually only a few percent). I think I triggered this issue by having a large (relative to the size of the machine) number of workers, which for one reason or another (thread contention?) forced some writes to return partial results, causing the rest of the write buffer to be discarded.

    Looking at worker/src/download.rs, I see that we write from the request stream using this loop:

        let mut bytes: u64 = 0;
        while let Some(item) = stream.next().compat().await {
            let item = item?;
            bytes += f.write(&item).await? as u64;
        }
        info!("Downloaded {} bytes", bytes);
    

    where f is a tokio::fs::File and write is from the trait tokio::io::AsyncWriteExt. This loop assumes that successful writes always write the whole buffer, but the documentation for this method explicitly rejects that:

    This function will attempt to write the entire contents of buf, but the entire write may not succeed, or the write may also generate an error. A call to write represents at most one attempt to write to any wrapped object.

    Instead there should be a loop like this:

        let mut bytes: u64 = 0;
        while let Some(item) = stream.next().compat().await {
            let mut item = item?;
            while !item.is_empty() {
                let written = f.write(&item).await? as u64;
                bytes += written;
                _, item = item.split_at(written);
            }
        }
        info!("Downloaded {} bytes", bytes);
    

    More generally, there should also be some integrity checking on the download, just to ensure that the downloaded package hasn't been corrupted. Otherwise we risk wasting a bunch of time trying to reproduce a package that can't be reproduced.

    bug 
    opened by fergus-dall 2
  • rebuilderd-worker@.service: all builds fail

    [email protected]: all builds fail

    Due to the introduction of setsid -c in repro (cf. archlinux/archlinux-repro#82 ) and that by default systemd-services don't run in a terminal, by running [email protected] all builds will eventually fail with the following message:

    setsid: failed to set the controlling terminal: Inappropriate ioctl for device
    

    I am not sure if this issue can be resolved by simply telling the service to use a tty somehow. As far as I've tested it this results in the referenced bug (ie. first build succeeding, subsequent failing until service is restarted).

    opened by stefan0xC 2
  • Signed rebuild attestations

    Signed rebuild attestations

    Right now rebuilders are very informal. They report their status, but a GOOD attestation is not used for anything serious yet. Right now it's sufficient to use the basic security that https provides.

    I'm opening this as a tracking issue to collect ideas and thoughts how this should look like in the future.

    enhancement 
    opened by kpcyrd 2
  • Store build logs or diffoscope html output

    Store build logs or diffoscope html output

    Currently it's only possible to investigate why a build was unreproducible by rebuilding it locally and running for example diffoscope. It would be nice to be able to view the build log, results or diffoscope html output via an API call.

    opened by jelly 2
  • Delete orphaned builds in batches

    Delete orphaned builds in batches

    There's a background job for cleanup that's likely looking up the database for extended periods of time:

    https://github.com/kpcyrd/rebuilderd/blob/8ff458ff71381db01e1fba8abe01e974c7eacbf4/daemon/src/lib.rs#L36

    This could be split up so the select is executed on its own, and the deletes are executed in batches, so each delete locks up the database briefly instead of locking it once for a long time.

    opened by kpcyrd 1
  • Tails signature verification failure

    Tails signature verification failure

    The tails.sh script hardcodes the Tails gpg key, unfortunately, it needs to be refreshed, but since the signing key weights around ~1.5M, it doesn't seem practical to embed it in the script.

    Maybe download it with wget https://tails.boum.org/tails-signing.key, import it into gpg, and hack something with git verify-tag?

    opened by jvoisin 1
  • Why woker containers need SYS_ADMIN to deploy

    Why woker containers need SYS_ADMIN to deploy

    Hi, I noticed that in https://github.com/kpcyrd/rebuilderd/tree/b015d16ea1e37924963c60c7a34ebf0d7d45504f/worker , worker containers need to be run with SYS_ADMIN. However, due to some security concerns, it would be hard for me to deploy with SYS_ADMIN. So I sincerely wonder why SYS_ADMIN is imperative : )

    opened by kitaharazy 0
  • Tails doesn't build anymore :'(

    Tails doesn't build anymore :'(

    $ rebuildctl pkgs sync-profile --sync-config /etc/rebuilderd-sync.conf tails
    
    […]
    
    Aug 08 16:03:53 rebuilderd rebuilderd-worker[575]: ==> box: Box file was not detected as metadata. Adding it directly...
    Aug 08 16:03:53 rebuilderd rebuilderd-worker[575]: ==> box: Adding box 'tails-builder-amd64-bullseye-20220712-fb05d75887' (v0) for provider:
    Aug 08 16:03:53 rebuilderd rebuilderd-worker[575]:     box: Unpacking necessary files from: file:///tmp/tails.uOtKYL/tails/tails-builder-amd64-bullseye-20220712-fb05d75887.box
    Aug 08 16:03:56 rebuilderd rebuilderd-worker[575]: [239B blob data]
    Aug 08 16:03:57 rebuilderd rebuilderd-worker[575]: Bringing machine 'default' up with 'libvirt' provider...
    Aug 08 16:03:57 rebuilderd rebuilderd-worker[575]: ==> default: Uploading base box image as volume into Libvirt storage...
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: [47.9K blob data]
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: [24.4K blob data]
    Aug 08 16:03:59 rebuilderd libvirtd[32076]: libvirt version: 8.5.0, package: 1 (Andrea Bolognani <[email protected]> Sun, 17 Jul 2022 17:12:07 +0200)
    Aug 08 16:03:59 rebuilderd libvirtd[32076]: hostname: rebuilderd
    Aug 08 16:03:59 rebuilderd libvirtd[32076]: storage volume 'apt-cacher-ng-data.qcow2' exists already
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: Error while creating volume for domain: Call to virStorageVolCreateXML failed: storage volume 'apt-cacher-ng-data.qcow2' exists already
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: rake aborted!
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: VagrantCommandError: 'vagrant ["up", "--provision"]' command failed with exit status 1
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:113:in `rescue in run_vagrant'
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:110:in `run_vagrant'
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:702:in `block (2 levels) in <top (required)>'
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /usr/share/rubygems-integration/all/gems/rake-13.0.6/exe/rake:27:in `<top (required)>'
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: Caused by:
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: CommandError: command ["vagrant", "up", "--provision"], {:chdir=>"./vagrant"} failed with exit status 1
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:78:in `run_command'
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:111:in `run_vagrant'
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /tmp/tails.uOtKYL/tails/Rakefile:702:in `block (2 levels) in <top (required)>'
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: /usr/share/rubygems-integration/all/gems/rake-13.0.6/exe/rake:27:in `<top (required)>'
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: Tasks: TOP => build => vm:up
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: (See full trace by running task with --trace)
    Aug 08 16:03:59 rebuilderd rebuilderd-worker[575]: + rm -rf -- /tmp/tails.uOtKYL
    Aug 08 16:04:00 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:00Z INFO  rebuilderd_worker::proc] "/usr/libexec/rebuilderd/rebuilder-tails.sh" exited with exit=exit status: 1, captured 96909 bytes
    Aug 08 16:04:00 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:00Z INFO  rebuilderd_worker::rebuild] No output artifact found, marking as BAD: "/tmp/rebuilderdER21h5/out/tails-amd64-5.3.1.img"
    Aug 08 16:04:00 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:00Z INFO  rebuilderd_worker::rebuild] No output artifact found, marking as BAD: "/tmp/rebuilderdER21h5/out/tails-amd64-5.3.1.iso"
    Aug 08 16:04:00 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:00Z INFO  rebuilderd_worker] Sending build report to rebuilderd...
    Aug 08 16:04:00 rebuilderd rebuilderd[578]: [2022-08-08T14:04:00Z INFO  actix_web::middleware::logger] 127.0.0.1:58292 "POST /api/v0/build/report HTTP/1.1" 200 4 "-" "-" 0.050013
    Aug 08 16:04:03 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:03Z INFO  rebuilderd_worker] Requesting work from rebuilderd...
    Aug 08 16:04:03 rebuilderd rebuilderd[578]: [2022-08-08T14:04:03Z INFO  actix_web::middleware::logger] 127.0.0.1:58292 "POST /api/v0/queue/pop HTTP/1.1" 200 9 "-" "-" 0.000366
    Aug 08 16:04:03 rebuilderd rebuilderd-worker[575]: [2022-08-08T14:04:03Z INFO  rebuilderd_worker] No pending tasks, sleeping for 180s...
    
    opened by jvoisin 1
  • Do not capture absolute paths in in-toto link metadata

    Do not capture absolute paths in in-toto link metadata

    Currently, when rebuilderd records an in-toto link after a successful rebuild, the absolute path of both the input and output packages are recorded. Typically, this looks something like /tmp/rebuilderd<build string>/{inputs,out}/<package file>. This should be replaced with just <package file>, enabling more straightforward artifact rules in in-toto layouts. Since rebuilderd is aware of the build location, it can pass this path to in-toto as a string to be left-stripped.

    Related: https://github.com/in-toto/in-toto-rs/issues/12

    opened by adityasaky 0
  • Make workers profile aware or profiles worker aware

    Make workers profile aware or profiles worker aware

    I'd like to be able to use some workers exclusively to rebuild selected profiles, for example, Arch Linux's community repository which has significantly more packages than core and extra. This would also allow for more granular control over which underlying host builds which packages. For example, heavier packages like linux*, gcc etc can be in a separate profile, that is always assigned to a host with the necessary resources.

    opened by adityasaky 0
  • Killing builds after timeout doesn't work reliably

    Killing builds after timeout doesn't work reliably

    Especially on the debian rebuilder builds get frequently stuck during tests and the kill-after-timeout doesn't seem to work reliably.

    The code that configures the timeout:

    https://github.com/kpcyrd/rebuilderd/blob/9b586829d858ef130ef0a234e7da27020bf01357/worker/src/rebuild.rs#L186-L193

    The code that's supposed to kill the process:

    https://github.com/kpcyrd/rebuilderd/blob/9b586829d858ef130ef0a234e7da27020bf01357/worker/src/proc.rs#L90-L114

    This needs investigation.

    opened by kpcyrd 1
Releases(v0.19.0)
  • v0.19.0(Aug 30, 2022)

  • v0.18.1(Dec 17, 2021)

  • v0.18.0(Dec 15, 2021)

  • v0.17.0(Dec 12, 2021)

    • Allow picking a different sync-method than the distro used. This allows reusing the Arch Linux sync code for other pacman-based distributions that might need a different rebuilder backend. #109
    • Create new process groups for the rebuild and kill the whole group on build timeout instead of just the immediate child process #110, #111 (thanks to @stoeckmann for his help and insight)

    Thanks

    We'd like to thank @jvoisin, @SantiagoTorres and @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.17.0.tar.gz.asc(850 bytes)
  • v0.16.6(Dec 5, 2021)

  • v0.16.5(Dec 3, 2021)

  • v0.16.4(Dec 1, 2021)

  • v0.16.3(Nov 28, 2021)

    • Add missing runtime dependencies to docker container #92, #93
    • If attestation failed to generate log a warning but don't error #94, #95, #96
    • Allow multiple versions of packages in unique constraint #97
    • Run sync import in database transaction #97
    • Allow multiple pkgbases with same name and version but different architecture #97
    • Fix delete performance when removing packages with filters #97

    Thanks

    We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.16.3.tar.gz.asc(850 bytes)
  • v0.16.2(Nov 22, 2021)

  • v0.16.1(Nov 22, 2021)

    • Fix a regression in the container image: Revert REBUILDERD_COOKIE_PATH=/secret/auth default - When using rebuildctl from the container image this would always attempt to load the auth cookie from /secret/auth and fail if it doesn't exist, instead of attempting to load the auth cookie from /etc/rebuilderd.conf.

    Thanks

    We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.16.1.tar.gz.asc(850 bytes)
  • v0.16.0(Nov 22, 2021)

    • This release lands build groups, which allows reproducing multiple packages with a single build, if they share a common base (pkgbase in Arch Linux, source package in debian, or a common release number in tails). This reduces the cpu load of running a rebuilder because it's using the resources more efficiently.
    • Update tails documentation (thanks to @jvoisin)

    Important: the build group change impacts the size of the report POST body, both because the build log is submitted multiple times for each package and because each package can have its own diffoscope. If you're using nginx to limit the request body (on by default) please adjust your config accordingly, either by setting a lower size limit in rebuilderd, or allowing larger request bodies in nginx.

    Thanks

    We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.16.0.tar.gz.asc(850 bytes)
  • v0.15.0(Oct 16, 2021)

    • distro field is now an opaque string instead of an enum
    • url has been renamed to artifact_url in a few places
    • It's now possible to pass --input-url to support eg. external buildinfo files
    • /data and /secret are now volumes in the rebuilderd docker image
    • Avoid double-slash in request if endpoint url ends with slash
    • Correctly load auth-cookie in rebuildctl pkgs sync-stdin

    Breaking changes

    • The worker config format has been updated, the rebuilder backends now need to be explicitly registered. This may look like this:
    [backend."archlinux"]
    path = "/usr/libexec/rebuilderd/rebuilder-archlinux.sh"
    
    [backend."debian"]
    path = "/usr/libexec/rebuilderd/rebuilder-debian.sh"
    
    [backend."tails"]
    path = "/usr/libexec/rebuilderd/rebuilder-tails.sh"
    
    • The url field is now called artifact_url in some api responses, using 0.14.2 rebuildctl and 0.15.0 rebuilderd may not be compatible with each other

    Thanks

    We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.15.0.tar.gz.asc(850 bytes)
  • v0.14.2(Sep 26, 2021)

  • v0.14.1(Sep 26, 2021)

  • v0.14.0(Sep 21, 2021)

    • Add in-toto attestation to rebuilderd by @joyliu-q during Google Summer of Code
    • Add experimental tails support
    • Add subcommand to download attestation with rebuildctl
    • Dynamically link zstd
    • Arch Linux: Detect compression with tree_magic
    • Change default cpu and io priority of rebuilderd-worker to idle
    • Fix auth cookie discovery for docker-compose
    • Bugfixes for the work-in-progress debian setup by @SantiagoTorres
    • Update debrebuild flag to --buildresults=
    • Convert blocking reqwest client to async

    Breaking changes

    • The worker keys are automatically regenerated when migrating from 0.13.0 to 0.14.0
    • Authenticating by the public key alone is not allowed anymore

    Thanks

    This work was sponsored by Google, The Linux Foundation, and people like you and me! We'd like to thank @SantiagoTorres and @repi in particular for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.14.0.tar.gz.asc(850 bytes)
  • v0.13.0(Jul 22, 2021)

  • v0.12.0(May 17, 2021)

  • v0.11.0(May 16, 2021)

    • The output directory for repro is now managed by rebuilderd
    • In preparation for pkgbase aware rebuilds, we now ignore the exit code of the rebuilder backend and instead verify the file written to the outdir is equal to the rebuild input
    • The ./build/ folders in /var/lib/rebuilderd-worker are now unused and can be deleted
    • The rebuild artifacts are not stored anymore, only the status and optionally the diffoscope are stored

    Thanks

    We'd like to thank @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.11.0.tar.gz.asc(850 bytes)
  • v0.10.0(Apr 12, 2021)

  • v0.9.1(Dec 27, 2020)

  • v0.9.0(Dec 24, 2020)

    • Introduce pkgbases to the database - this is in preparation to change build scheduling from individual binary packages to the pkgbase and verify all binary outputs with a single build. This release starts to transition existing packages and results. A future release is going to delete all results that haven't been transitioned. Upgrading to v0.9.0 before upgrading to v0.10.0 is recommended. Consider joining #archlinux-reproducible or #rebuilderd on freenode and say hi so we can check in on you for major changes like this.
    • Fix a bug with any packages not getting retried.
    • Add a dashboard endpoint designed for high load.
    • Add rebuildctl pkgs sync-stdin <distro> <suite> to support external package index parsers that output the format used by rebuildctl pkgs sync --print-json.
    • Change the commandline options for rebuildctl pkgs sync since multiple architectures can be specified now.
    • Introduce --release and releases = in preparation for debian support.

    Thanks

    We'd like to thank @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.9.0.tar.gz.asc(850 bytes)
  • v0.8.0(Dec 6, 2020)

    Build Logs

    • Allow configuring the build log size/time limit - this mitigates an issue when the build prints 10's of megabytes of text, exceeding the max post limit. Also, the maximum build time can be configured instead of being hard-coded to 24h.
    • Introduce an option to disable build output forwarding - By default all build output is written to journald, this is useful for debugging but may slow down certain log queries. You can now choose to disable output passthrough so the build output is only stored in rebuilderd.

    Misc

    • Update default worker config with new [build] section
    • Add -C as short option for --color

    Thanks

    We'd like to thank @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.8.0.tar.gz.asc(850 bytes)
  • v0.7.0(Nov 20, 2020)

    New diffoscope configuration

    • Rename gen_diffoscope to diffoscope.enabled
    • Add an option to add timeout to diffoscope execution (defaults to 1h)
    • Add an option to truncate diffoscope output to configured number of bytes
    • Add an option to add custom arguments to diffoscope
    • Log how many bytes have been captured from diffoscope

    Misc

    • Handle errors that cause a worker exit
    • Make http client async
    • Improve rebuilderd-worker logging
    • Clear build_id when reseting package

    Thanks

    We'd like to thank @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.7.0.tar.gz.asc(850 bytes)
  • v0.6.0(Nov 8, 2020)

    • Workers are now capturing and persisting build output
    • The daemon is now storing and publishing the build logs and diffoscope diffs through the api, /api/v0/builds/{id}/log and /api/v0/builds/{id}/diffoscope, the build_id can be found in rebuildctl pkgs ls --name foo as eg. #123.
    • Workers can be gracefully restarted by creating an empty file at /var/lib/rebuilderd-worker/$WORKER/rebuilderd.restart.
    • Rework diffoscope integration

    Thanks

    We'd like to thank @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.6.0.tar.gz.asc(850 bytes)
  • v0.5.0(Nov 2, 2020)

    • Reduce sqlite db locking issues
    • Introduce automatic retries
    • Introduce queue priorities
    • Support picking up ip from reverse proxy
    • Add scheduler integration tests
    • Automatically abort builds after 24h
    • Add build time to api reponse
    • Add cargo-deb configs
    • Download the package with rust instead of wget

    Thanks

    We'd like to thank @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.5.0.tar.gz.asc(850 bytes)
  • v0.4.0(Apr 30, 2020)

  • v0.3.1(Apr 30, 2020)

    • Fix a bug with rebuildctl queue drop not working correctly
    • Use regular arch mirror urls for the source in rebuilderd-sync.conf. The old format still works but generates a deprecation warning. The new format looks like: source = "https://ftp.halifax.rwth-aachen.de/archlinux/$repro/os/$arch" #15
    • Fix a bug that changes in /etc/rebuilderd-worker/*/archlinux-repro/repro.conf are always overwritten
    • Adding the following line to aboves config now significantly speeds up downloads: export ARCH_ARCHIVE_CACHE=https://cache.rebuilder.fzylab.net/packages

    Thanks

    We'd like to thank @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.3.1.tar.gz.asc(850 bytes)
  • v0.3.0(Apr 27, 2020)

    • Important the default port has been changed from 127.0.0.1:8080 to 127.0.0.1:8484 to avoid conflicts
    • Allow setting auth cookies for multiple endpoints
    • Man pages for binaries and config files have been added
    • Don't ignore errors with invalid configs
    • Set the worker ping interval from 30s to 60s
    • Automatically restart workers with systemd if they crash
    • Set some hardening options on the rebuilderd systemd unit

    Thanks

    We'd like to thank @repi for their support on github sponsors.

    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.3.0.tar.gz.asc(850 bytes)
  • v0.2.2(Apr 23, 2020)

    • Fix a bug with rebuilderd always generating a cookie instead of reading /etc/rebuilderd.conf
    • If no worker authentication is configured, require admin auth instead of no auth
    • Add excludes = [] and --exclude to allow blacklisting packages from sync by name
    • Add glob support to match packages by pattern
    • Add --color to rebuilctl for colors with watch -c
    • Add an option for json output in rebuildctl
    • Improve logging regarding auth cookie
    Source code(tar.gz)
    Source code(zip)
    rebuilderd-0.2.2.tar.gz.asc(850 bytes)
Owner
Independent security research. Works on software supply-chain security. Maintains packages in Arch Linux, Debian, Alpine. Steals food at conferences.
null
Binary coverage tool without binary modification for Windows

Summary Mesos is a tool to gather binary code coverage on all user-land Windows targets without need for source or recompilation. It also provides an

null 381 Dec 22, 2022
Simple verification of Rust programs via functional purification in Lean 2(!)

electrolysis About A tool for formally verifying Rust programs by transpiling them into definitions in the Lean theorem prover. Masters thesis: Simple

Sebastian Ullrich 300 Dec 11, 2022
An impish, cross-platform binary parsing crate, written in Rust

libgoblin Documentation https://docs.rs/goblin/ changelog Usage Goblin requires rustc 1.40.0. Add to your Cargo.toml [dependencies] goblin = "0.4" Fea

null 891 Dec 29, 2022
The Swiss Army Knife for Binary (In)security

binsec Swiss Army Knife for Binary (In)security binsec is a minimal static analysis utility for detecting security capabilities in ELF/PE/Mach-O execu

Alan 15 Dec 16, 2022
Binary Analysis Framework in Rust

Welcome to Falcon Falcon is a formal binary analysis framework in Rust. Expression-based IL with strong influences from RREIL and Binary Ninja's LLIL.

Falcon Binary Analysis Framework 489 Dec 18, 2022
Reproducible builds, dev envs and deployments.

?? Toros An implementation of Nix in Rust. Syntax support: With NixEL Interpreter support: Int Binding (aliasing) Let-in (flat bindings without interp

Kevin Amado 35 Dec 23, 2022
Authenticate a tarball through a signed tag in a git repository (with reproducible builds)

auth-tarball-from-git Authenticate a tarball through a signed tag in a git repository (with reproducible builds). The signed git tag contains a hash o

null 14 Aug 16, 2022
replaces fixed-sized string prefixes & whole sections in binaries for fast, debuggable, reproducible builds

Replacing fixed-sized string prefixes in binaries to refix them to their build context Here's the long story about what refix does and why you'd want

Yossi Kreinin 30 Jul 16, 2024
Rust-verification-tools - RVT is a collection of tools/libraries to support both static and dynamic verification of Rust programs.

Rust verification tools This is a collection of tools/libraries to support both static and dynamic verification of Rust programs. We see static verifi

null 253 Dec 31, 2022
Reusable Reproducible Composable Software

Reusable Reproducible Composable Software Welcome What is this? Fractalide is a free and open source service programming platform using dataflow graph

Fractalide 787 Dec 29, 2022
Dependency lockfiles for a reproducible build environment 📦🔒

repro-env Imagine you had a tool that takes a config like this: # repro-env.toml [container] image = "rust:1-alpine3.18" and turns it into something l

null 16 Jul 11, 2023
Verify that registry crates in your Cargo.lock are reproducible from the git repository

cargo-goggles Verify that registry crates in your Cargo.lock are reproducible from the git repository. This cargo subcommand analyzes the following pr

M4SS - Industrial IoT Solutions 36 Jul 16, 2024
Rusty Armor Builds - Monster Hunter Rise Armor Set Creation Tool

RAB Rusty Armor Builds - Monster Hunter Rise Armor Set Creation Tool Armor files used by RAB

null 28 Oct 3, 2022
Buildomat manages the provisioning of ephemeral UNIX systems on which to run software builds

B U I L D O M A T a software build labour-saving device Buildomat manages the provisioning of ephemeral UNIX systems (e.g., instances in AWS EC2) on w

Oxide Computer Company 33 Dec 4, 2022
An example smart contract that builds on top of xyz

xyz Guestbook Tutorial Contract This repository contains an example smart contract that illustrates how to build on top of the xyz NFT contract. This

null 5 Apr 4, 2022
A query builder that builds and typechecks queries at compile time

typed-qb: a compile-time typed "query builder" typed-qb is a compile-time, typed, query builder. The goal of this crate is to explore the gap between

ferrouille 3 Jan 22, 2022
Dister builds and bundles your wasm web app.

dister Dister builds and bundles your wasm web app. Installation cargo install dister Requirements wasm32-unknown-unknown target: rustup target add wa

Mohammed Alyousef 1 Apr 9, 2022
Macro to print variable(s) with values nicely (stripped from release builds)

log_macro Macro to print variable(s) with values nicely (stripped from release builds) Install cargo add log_macro Use Add this to top of file: #[mac

Nikita 3 Aug 22, 2023
Cloud Native Buildpack that builds an OCI image with Ollama and a large language model.

Ollama Cloud Native Buildpack This buildpack builds an OCI image with Ollama and a large language model. Configure your model by an Ollama Modelfile o

Manuel Fuchs 3 Mar 19, 2024
An independent Rust text editor that runs in your terminal!

Ox editor Ox is a code editor that runs in your terminal. About The Project Ox is a code editor. It was written in Rust using ANSI escape sequences. I

null 2.9k Jan 2, 2023