Metadata-Version: 2.4
Name: fedora-repro
Version: 0.1
Summary: Scripts to build Fedora packages in historical buildroots
Project-URL: Homepage, https://github.com/keszybz/fedora-repro
Project-URL: Repository, https://github.com/keszybz/fedora-repro
Project-URL: Issues, https://pagure.io/fedora-reproducible-builds/project/issues
Project-URL: Documentation, https://docs.fedoraproject.org/en-US/reproducible-builds/
License: LGPL-2.1-or-later
License-File: LICENSE.LGPL2.1
Keywords: fedora,reproducible builds
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: GNU Lesser General Public License v2 or later (LGPLv2+)
Classifier: Operating System :: POSIX :: Linux
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Logging
Classifier: Topic :: System :: Systems Administration
Requires-Python: >=3.9
Requires-Dist: ipcqueue
Description-Content-Type: text/markdown

This repo contains a set of programs to rebuild Fedora packages.
The rebuild happens in an environment that contains the same packages as the original build,
so the results are identical if the package builds reproducibly.

See https://reproducible-builds.org/ for motivation and more details
and https://docs.fedoraproject.org/en-US/reproducible-builds/ for the use in Fedora.

🚧🚧🚧 WARNING: WIP 🚧🚧🚧

Usage:
```
$ fedora-repro-build.py NEVR
```

This will establish a koji session,
download information about the build,
get the output package list,
pick a subpackage with a matching architecture or "noarch",
download the list of packages in the build of the subpackage,
download those packages,
create a "repository" using `createrepo_c`,
create a mock config using that repository and no other sources of packages,
download the srpm,
launch `mock` rebuild of the srpm,
locate the output packages,
and do a one-by-one comparison of the first package list and the mock output packages.

The comparison is done using `rpmdiff`,
because that suppresses differences that are not interesting.
`diffoscope` should be used for in-depth comparisons.

At least the following fields will always or almost always vary:
* `HEADERIMMUTABLE`,
* `SIGSIZE`,
* `SIGMD5`,
* `SHA1HEADER`,
* `SHA256HEADER`
* `BUILDTIME`
* `BUILDHOST` (we override this based on the first archful package, but srpm and noarch packages will often have different values)
* `COOKIE` (this is a combination of `BUILDHOST` and `BUILDTIME`)
* `OPTFLAGS` (this depends on the architecture, also for the srpm and noarch packages)
* `PLATFORM` (same)

If `rpmdiff` shows a difference, or if `diffoscope` shows a difference in `FILEMD5S` or `PAYLOADDIGEST`, then the builds was not reproducible.

For list of known issues, see https://pagure.io/fedora-reproducible-builds/project/issues?tags=irreproducibility.

Information that is queried from koji is saved under `cache/info/`,
and packages that are downloaded are saved under `cache/rpms/`.
Build outputs and logs are saved under `cache/build/`.

🚧🚧🚧 WARNING: WIP 🚧🚧🚧
