Commit 2da49e69 authored by intrigeri's avatar intrigeri

When testing ISO build reproducibility, use the same APT snapshots in both builds (refs: #15107).


 - Our branches based on devel use "latest" snapshots for every APT archive used
   at build time => their reproducibly_build_Tails_ISO_* job will fail if any of
   these APT snapshots is updated between the start of the original build job
   and the start of the reproducibly_build_Tails_ISO_* job.

 - Our branches based on stable are also affected, but to a lesser degree: they
   use the "latest" snapshot only for the debian-security archive.

 - Any branch can be affected when the build is triggered by a Git push at an
   unfortunate time. But for some branches, the automatic daily build is
   _always_ affected: daily Jenkins job runs are scheduled in a deterministic
   manner, with a schedule based on the name of the branch. So inevitably, the
   automatic daily rebuild of _some_ branches will always fail to build
   reproducibly, because the failure condition ("APT snapshots is updated
   between the start of the original build job and the start of the
   reproducibly_build_Tails_ISO_* job") will always be met. There's no such
   active branch at the moment but we've seen that happen in the past.

To fix that, let's ensure we use the same APT snapshots during the second build
as the ones the first build used. Here's how.

With this commit, we save the serials an ISO build used as a build artifact that
the downstream reproducibly_build_Tails_ISO_* CI job will copy and then load
environment from (using the Jenkins EnvInject Plugin).

Therefore, in a given reproducibly_build_Tails_ISO_* CI job run, the
APT_SNAPSHOTS_SERIALS environment variable will tell what APT snapshots were
used by its upstream build_Tails_ISO_* CI job run. And finally, thanks to
commit:aafdf8da and follow-ups, that downstream
reproducibly_build_Tails_ISO_* CI job run will reuse the same snapshots.
parent 3669c1ad
......@@ -317,7 +317,8 @@ end
def list_artifacts
user = vagrant_ssh_config('User')
stdout = capture_vagrant_ssh("find '/home/#{user}/amnesia/' -maxdepth 1 " +
"-name 'tails-amd64-*'").first
"-name 'tails-amd64-*' " +
"-o -name tails-build-env.list").first
rescue VagrantCommandError
......@@ -102,11 +102,18 @@ $RUN_LB_CONFIG --distribution stretch ${@}
# set up everything for time-based snapshots:
if [ -n "${APT_SNAPSHOTS_SERIALS:-}" ]; then
echo "Fixing 'latest' APT snapshots serials to: ${APT_SNAPSHOTS_SERIALS}."
echo "Fixing 'latest' APT snapshots serials to: '${APT_SNAPSHOTS_SERIALS}'."
apt-snapshots-serials prepare-build "${APT_SNAPSHOTS_SERIALS}"
apt-snapshots-serials prepare-build
# record what APT snapshots this build is going to use, so that one
# can try to reproduce it more reliably
echo "# This file is in Java property file format" >> "$JENKINS_ENV_PROPERTIES"
echo "APT_SNAPSHOTS_SERIALS = $(apt-snapshots-serials cat-json tmp/APT_snapshots.d)" \
DEBIAN_MIRROR="$(apt-mirror debian)"
DEBIAN_SECURITY_MIRROR="$(apt-mirror debian-security)"
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment