Rebuild all wheels reproducibly and use wheels from local filesystem #213
Conversation
This patch stops accessing the webbased index for the wheels, instead uses the local filesystem path.
Adjusting the error-handling based on a recent signing operation. Makes the tooling a bit friendlier for maintainers.
In order to regenerate the wheel files, I ran: ./scripts/build-sync-wheels --clobber -p ../securedrop-client ./scripts/build-sync-wheels --clobber -p ../securedrop-log ./scripts/build-sync-wheels --clobber -p ../securedrop-proxy Each repo had the latest "main" branch commit checked out. Then I ran ./scripts/sync-sha256sums, completed the signing ceremony, and committed the results.
@kushaldas I've appended new wheel files and checksums here, and marked the task as complete in your list. Back over to you! |
eloquence
changed the title
|
(Retitled for clarity, please don't hesitate to edit if I misunderstood but I wanted to make it clearer that this PR now also updates all the existing wheels.) |
The new wheels are coming in the following PR: freedomofpress/securedrop-builder#213 These wheels are reproducible, you can build them following our Makefile.
The new wheels are coming in the following PR: freedomofpress/securedrop-builder#213 These wheels are reproducible, you can build them following our Makefile.
The new wheels are coming in the following PR: freedomofpress/securedrop-builder#213 These wheels are reproducible, you can build them following our Makefile.
|
Next, we will have to merge these 3 PRs:
Only after those are merged, we will be able to see CI progressing for this PR. |
The new wheels are coming in the following PR: freedomofpress/securedrop-builder#213 These wheels are reproducible, you can build them following our Makefile.
The new wheels are coming in the following PR: freedomofpress/securedrop-builder#213 These wheels are reproducible, you can build them following our Makefile.
|
@kushaldas I haven't provided in-depth review of all the checksums in the component PRs you link to, but plan to do so tomorrow. While testing that, I might append yet another test-only commit onto this PR, tracking the feature branches in those repos, to confirm everything is green prior to approving. Thanks for preparing! Looking forward to landing these changes. |
kushaldas
force-pushed
the
use_reproducible_wheels
branch
from
b9334ea to
71de804
Compare
|
So the package build tests were failing as they were building the last release. And the repository now has different wheels from the last release. In my temporary commit, I am doing night build instead of rebuilding the last release. I am still not sure how to fix the |
From the last release of which package? Are you recommending that the wheels in this PR be regenerated to resolve? |
|
So the package build tests were failing as they were building the last release. And the repository now has different wheels from the last release. In my temporary commit, I am doing night build instead of rebuilding the last release. I am still not sure how to fix the
Generally the CI is trying to build the last release of these packages, which is failing because now we have new wheels. My temporary commit tries to build the nightly, that is why is passing for those builds. But, the |
@kushaldas you correctly identify that the reproducibility check rely on the archived tarballs[1], which were have considered deprecating. It sounds like we could replace this step by manually cloning and building the tarball locally on the latest release tag on |
| 684a38a6f903c1d71d6d5fac066b58d7768af4de2b832e426ec79c30daa94a16 idna-2.7.tar.gz | ||
| 614c22fe1a5b0a3f46f6c5c43ff2e6795e4e784328d559ec9dc49db0f06b3a75 Mako-1.0.7-py3-none-any.whl | ||
| 99d041a616a3655725dffe459916627b75640a7d045ed33f51ce158a168ca3ef Mako-1.0.7-py3-none-any.whl | ||
| 4e02fde57bd4abb5ec400181e4c314f56ac3e49ba4fb8b0d50bba18cb27d25ae Mako-1.0.7.tar.gz | ||
| c6b726d2e9d6300a044cf6a37627f10994268d6ac39464bc0d725126609311a5 MarkupSafe-1.0-py3-none-any.whl |
There was a problem hiding this comment.
can 1.0 entries be removed?
There was a problem hiding this comment.
can 1.0 entries be removed?
I think we should do it later with a new PR as we mess up, it will difficult to figure out where it broke (if it is the new work or removing old things).
There was a problem hiding this comment.
Oh, I guess you are talking about removing the old MarkupSafe wheel removal, that can be done.
kushaldas
force-pushed
the
use_reproducible_wheels
branch
from
291363f to
14b2f75
Compare
|
I could not do it via packages/tarballs from current |
|
I haven't taken a look at this yet, @kushaldas, but will do so later in the week. |
|
@kushaldas Nice work in #214! I took the liberty of appending yet more partial work, specifically using Based on the new changes, I have a couple immediate observations:
I'm suggesting removal of those tests on every PR run, because the reprotest suite effectively verifies that the build passes—and then passes again! If you agree, please take a stab at adjusting the settings. I'd also appreciate your help on getting the new reprotest suite passing in CI. You'll see that I've moved it from a machine to container executor in CI, but that itself isn't enough. See what you can figure out. We're almost there! 🚀 |
|
Took another look at this today. Looks like we're running into a CI-specific problem with I'll work on adjusting the tests to accommodate. Overall, the logic here is very much what we want! Will poke at reprotest in CircleCI containers another day to understand the root cause better. |
|
@conorsch @kushaldas have you tried the "next gen" circle images? They have python buster images that can be used here: We have recently switched to these for some core CI targets: freedomofpress/securedrop#5720 |
|
No, but worth a shot! Thanks for mentioning. |
More pytest-based reprotest invocations, this time focusing on .deb files. Replaces the CircleCI repro tests that manually compared hashes. Also modifies build script to support commit hash The logic assumed we were always building from a prod release tag. As a result, the CI logic was reimplementing the tarball mangling. Let's make the script more flexible, so we can run the script in CI and thereby get a bit more test coverage for it. Modifies CI env for reprotest support When building .deb packages, we need the python version for the packaging environment to match that of the target platform, i.e. python3.7 for buster. In CI, our platform options are: * VM, Ubuntu 20.04 * Container, Debian 10 The container driver in CircleCI does not permit "setarch" calls, erroring out immediately. The setarch calls are not optional in reprotest, unfortunately, so let's hack the file and remove it entirely, only in CI.
conorsch
force-pushed
the
use_reproducible_wheels
branch
from
43d6a6d to
96d9e59
Compare
Updated the build logic for securedrop-export to remove use of the https://pypi.securedrop.org URL. At present, the securedrop-export doesn't use any external Python dependencies, it's core-only. So the custom PyPI URL was never necessary, and technically we could excise it altogether right now, but for consistency's sake I'm updating it to match the other Python-based SDW packages.
conorsch
force-pushed
the
use_reproducible_wheels
branch
from
96d9e59 to
ebc1a78
Compare
Fixed in this branch. A clarification, though: yes, the build logic was erroneously using
I tried those, but to no avail. The problem appears to be that in CircleCI, containers are run with reduced privileges, prohibiting the use of the CI is now passing across the board, so I'm marking ready and proceeding with final review. |
The new wheels are coming in the following PR: freedomofpress/securedrop-builder#213 These wheels are reproducible, you can build them following our Makefile.
The new wheels are coming in the following PR: freedomofpress/securedrop-builder#213 These wheels are reproducible, you can build them following our Makefile.
|
Merged the associated component PRs, then reverted the temporary commits on this branch. See fully passing build here, with temporary commits reverted: https://app.circleci.com/pipelines/github/freedomofpress/securedrop-debian-packaging/885/workflows/3fb0f623-77a7-4b16-9c9b-2497e8866f5c I'll rebase again to drop those temporary commits entirely, confirm passing, then merge. |
conorsch
force-pushed
the
use_reproducible_wheels
branch
from
9d6c143 to
da78f9b
Compare
|
After merging all associated PRs, including this one, into the main branches for all repos, I re-ran the tests in CircleCI, and they're showing green across the board:
There may be a few PRs, especially in the securedrop-client repo, that will need to be rebased to keep tests passing. Other than that, no further action required. |
This patch stops accessing the webbased index for the wheels,
instead uses the local filesystem path.
Fixes #212 (work remaining)
Next step in this PR.
securedrop-client,securedrop-proxyandsecuredrop-logprojects../scripts/build-sync-wheels --clobber -p ../securedrop-clientis one example.build-requirements.txtfiles for all the 3 Debian packagesHow to test?
make securedrop-clientmake securedrop-proxymake securedrop-logAll of the above commands should pass.