{"id":13542675,"url":"https://github.com/kpcyrd/rebuilderd","last_synced_at":"2025-05-14T18:04:53.827Z","repository":{"id":40695206,"uuid":"227679652","full_name":"kpcyrd/rebuilderd","owner":"kpcyrd","description":"Independent verification of binary packages - Reproducible Builds","archived":false,"fork":false,"pushed_at":"2025-05-02T22:14:00.000Z","size":1398,"stargazers_count":381,"open_issues_count":29,"forks_count":27,"subscribers_count":12,"default_branch":"main","last_synced_at":"2025-05-02T22:24:59.956Z","etag":null,"topics":["rebuilder","reproducible-builds","rust","security-tools","supply-chain","supply-chain-security"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kpcyrd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["kpcyrd"],"patreon":"kpcyrd"}},"created_at":"2019-12-12T19:19:37.000Z","updated_at":"2025-05-02T22:14:03.000Z","dependencies_parsed_at":"2023-10-11T19:35:38.924Z","dependency_job_id":"f12e585f-af47-48af-a53e-52d11ee884dc","html_url":"https://github.com/kpcyrd/rebuilderd","commit_stats":{"total_commits":362,"total_committers":11,"mean_commits":32.90909090909091,"dds":0.074585635359116,"last_synced_commit":"578b5a8124233f287ba9e8c8bd732284ba9c8632"},"previous_names":[],"tags_count":37,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Frebuilderd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Frebuilderd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Frebuilderd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kpcyrd%2Frebuilderd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kpcyrd","download_url":"https://codeload.github.com/kpcyrd/rebuilderd/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254198514,"owners_count":22030965,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rebuilder","reproducible-builds","rust","security-tools","supply-chain","supply-chain-security"],"created_at":"2024-08-01T10:01:14.779Z","updated_at":"2025-05-14T18:04:48.804Z","avatar_url":"https://github.com/kpcyrd.png","language":"Rust","funding_links":["https://github.com/sponsors/kpcyrd","https://patreon.com/kpcyrd"],"categories":["Rust","rust","Web and Cloud Security","Build techniques"],"sub_categories":["Software Supply Chain","Supply chain beyond libraries"],"readme":"# rebuilderd(1) [![crates.io][crates-img]][crates] [![cncf slack][cncf-img]][cncf] [![irc.libera.chat:6697/#archlinux-reproducible][irc-img]][irc]\n\n[crates-img]:   https://img.shields.io/crates/v/rebuilderd.svg\n[crates]:       https://crates.io/crates/rebuilderd\n[cncf-img]:     https://img.shields.io/badge/cncf-%23rebuilderd-blue.svg\n[cncf]:         https://cloud-native.slack.com/messages/rebuilderd/\n[irc-img]:      https://img.shields.io/badge/libera-%23archlinux--reproducible-blue.svg\n[irc]:          https://web.libera.chat/#archlinux-reproducible\n\nIndependent verification system of binary packages.\n\n![rebuildctl pkgs ls example output](.github/assets/Vx35qrG.png)\n\n- [Accessing a rebuilderd instance in your browser](#accessing-a-rebuilderd-instance-in-your-browser)\n- [Scripting access to a rebuilderd instance](#scripting-access-to-a-rebuilderd-instance)\n- [Running a rebuilderd instance yourself](#running-a-rebuilderd-instance-yourself)\n    - [Rebuilding Arch Linux](#rebuilding-arch-linux) (Supported)\n    - [Rebuilding Tails](docs/setup-tails.md)\n- [Development](#development)\n    - [Dependencies](#dependencies)\n- [Funding](#funding)\n- [License](#license)\n\nrebuilderd monitors the package repository of a linux distribution and uses\nrebuilder backends like [archlinux-repro][1] to verify the provided binary\npackages can be reproduced from the given source code.\n\n[1]: https://github.com/archlinux/archlinux-repro\n\nIt tracks the state of successfully verified packages and optionally generates\na report of differences with [diffoscope][2] for debugging. Note that due to\nthe early state of this technology a failed rebuild is more likely due to an\nundeterministic build process instead of a supply chain compromise, but if\nmultiple rebuilders you trust report 100% reproducible for the set of packages\nyou use you can be confident that the binaries on your system haven't been\ntampered with. People are encouraged to run their own rebuilders if they can\nafford to.\n\n[2]: https://diffoscope.org/\n\n## Status\n\n| | Status | Docker | Doesn't need --privileged | Doesn't need /dev/kvm | Backend |\n| --- | --- | --- | --- | --- | --- |\n| **Arch Linux** | ✔️ supported | ❌ | - | ✔️ | [archlinux-repro](https://github.com/archlinux/archlinux-repro) |\n| **Debian** | ✔️ supported | ✔️ (not working yet) | ❌ | ✔️ | [debrebuild](https://salsa.debian.org/debian/devscripts/-/blob/main/scripts/debrebuild.pl) |\n| **Tails** | 🚀 experimental | ❌ | - | ❌ | [docs](https://tails.boum.org/contribute/build/) ([script](worker/rebuilder-tails.sh)) |\n| **Alpine** | ✨ planned | - | - | - | - |\n| **Fedora** | 🚀 experimental | ❌ | ❌ | ✔️ | [fedora-repro-build](https://github.com/keszybz/fedora-repro-build/) |\n\n**Docker**: There's a docker-compose example setup in this repository, but not\nall rebuilder backends support running inside of a docker container (for\nexample because it's creating containers itself).\n\n**Doesn't need --privileged**: Some rebuilder backends create containers in a\nway that works inside of a docker container, if they're granted the required\nkernel capabilities to do so. This may have security implications for other\ncontainers running on that system or the code running inside the container may\nreconfigure the system outside of the docker container.\n\n**Doesn't need /dev/kvm**: Some build tools may need to start a virtual machine\nand depend on /dev/kvm to be available. This is a special requirement for the\nhosting environment, you either need a VPS with **Nested KVM** or\ndedicated non-virtualized hardware.\n\n# Accessing a rebuilderd instance in your browser\n\nMany instance run a web frontend to display their results. [rebuilderd-website]\nis a very good choice and the software powering the Arch Linux rebuilderd\ninstance:\n\n[rebuilderd-website]: https://gitlab.archlinux.org/archlinux/rebuilderd-website\n\nhttps://reproducible.archlinux.org/\n\nLoading the index of all packages may take a short time.\n\n# Scripting access to a rebuilderd instance\n\n\u003ca href=\"https://repology.org/project/rebuilderd/versions\"\u003e\u003cimg align=\"right\" src=\"https://repology.org/badge/vertical-allrepos/rebuilderd.svg\" alt=\"Packaging status\"\u003e\u003c/a\u003e\n\nIt's also possible to query and manage a rebuilderd instance in a scriptable\nway. It's recommended to install the `rebuildctl` commandline util to do this\n(instructions for your system may vary, see packaging status to the right):\n\n    pacman -S rebuilderd-tools\n\nYou can then query a rebuilderd instance for the status of a specific package:\n\n    rebuildctl -H https://reproducible.archlinux.org pkgs ls --name rebuilderd\n\nYou have to specify which instance you want to query because there's no\ndefinite truth™. You could ask multiple instances though, including one you\noperate yourself.\n\nIf the rebuilder seems to have outdated data or lists a package as unknown the\nupdate may still be in the build queue. You can query the build queue of an\ninstance like this:\n\n    rebuildctl -H https://reproducible.archlinux.org queue ls --head\n\nIf there's no output that means the build queue is empty.\n\nIf you're the administrator of this instance you can also run commands like:\n\n    rebuildctl status\n\nOr immediately retry all failed rebuild attempts (there's an automatic retry on\nby default):\n\n    rebuildctl pkgs requeue --status BAD --reset\n\n# Running a rebuilderd instance yourself\n\n![journalctl output of a rebuilderd-worker](.github/assets/mOWZt75.png)\n\n\"I compile everything from source\" - a significant amount of real world binary\npackages can already be reproduced today. The more people run rebuilders, the\nharder it is to compromise all of them.\n\nAt the current stage of the project we're interested in every rebuilder there\nis! Most rebuilderd discussion currently happens in #archlinux-reproducible on\nlibera, feel free to drop by if you're running a instance or considering\nsetting one up. Having a few unreproducible packages is normal (even if it's\nslightly more than the official rebuilder), but having additional people\nconfirm successful rebuilds is very helpful.\n\n## Rebuilding Arch Linux\n\nPlease see the setup instructions in the [Arch Linux Wiki](https://wiki.archlinux.org/index.php/Rebuilderd).\n\n# Development with docker\n\nThere is a docker-compose setup in the repo, to start a basic stack simply\nclone the repository and run:\n\n```sh\nDOCKER_BUILDKIT=1 docker-compose up\n```\n\nThe initial build is going to take some time.\n\nTo recompile your changes (you can optionally specify a specific image to build):\n\n```sh\nDOCKER_BUILDKIT=1 docker-compose build\n```\n\nThe auth cookie has strict permissions, for development simply change them with:\n\n```sh\nsudo chmod 0644 secret/auth\n```\n\nCheck you can successfully run administrative tasks, use this command to compile and run the `rebuildctl` binary:\n\n```sh\nREBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- -v status\n```\n\nThere are no packages in the database yet, there's an example profile that we can load. It only contains one lightweight package and should successfully rebuild out-of-the-box in our docker-compose setup.\n\n```sh\nREBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- pkgs sync-profile --sync-config contrib/confs/rebuilderd-sync.conf debian-anarchism\n```\n\nCheck the package was successfully added to the database with status `UNKWN`:\n\n```sh\nREBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- pkgs ls\n```\n\nYou can display the build queue with this command, it's also going to display a timer for jobs that are currently in progress:\n\n```sh\nREBUILDERD_COOKIE_PATH=secret/auth cargo run -p rebuildctl -- queue ls --head\n```\n\nYou can use a combination of the commands mentioned to monitor your rebuilder. The packages should eventually show up as `GOOD` in `rebuildctl pkgs ls`.\n\n# Development\n\nIf you want to build from source or you want to run rebuilderd built from a\nspecific commit this section contains instructions for that.\n\nA rebuilder consists of the `rebuilderd` daemon and \u003e= 1 workers:\n\nFirst we switch into the `daemon/` folder and run our rebuilderd daemon:\n```sh\ncd daemon; cargo run\n```\n\nThis takes a moment but the api should now be available at\n`http://127.0.0.1:8484/api/v0/dashboard`.\n\nThis daemon needs to run in the background, so we're starting a new terminal to\ncontinue with the next steps.\n\nNext we're going to build the `rebuilctl binary` and confirm it's able to\nconnect to the api. If we don't get an error message this means it's working.\n\n```sh\ncd tools; cargo run -- status\n```\n\nWe didn't connect any workers yet so this output is empty.\n\nNext we want to connect a rebuilder. rebuilderd only does the scheduling for\nyou, so you need to install additional software here (called a rebuilder\nbackend):\n\n- **Arch Linux**: `pacman -S archlinux-repro` or `git clone\n  https://github.com/archlinux/archlinux-repro \u0026\u0026 archlinux-repro/ \u0026\u0026 make \u0026\u0026\n  sudo make install`. Note that on debian buster you need to install systemd\n  from buster-backports.\n\nWith a rebuilder backend installed we're now going to run our first worker:\n\n```sh\ncd worker; cargo run -- connect http://127.0.0.1:8484\n```\n\nThis rebuilder should now show up in our `rebuildctl status` output:\n\n```sh\ncd tools; cargo run -- status\n```\n\nNext we're going to import some packages:\n\n```sh\ncd tools; cargo run -- pkgs sync archlinux community \\\n    'https://ftp.halifax.rwth-aachen.de/archlinux/$repo/os/$arch' \\\n    --architecture x86_64 --maintainer kpcyrd\n```\n\nThe `--maintainer` option is optional and allows you to rebuild packages by a specific maintainer only.\n\nTo show the current status of our imported packages run:\n\n```sh\ncd tools; cargo run -- pkgs ls\n```\n\nTo monitor your workers are picking up tasks:\n\n```sh\ncd tools; cargo build \u0026\u0026 CLICOLOR_FORCE=1 watch -c ../target/debug/rebuildctl status\n```\n\nTo inspect the queue run:\n\n```sh\ncd tools; cargo run -- queue ls\n```\n\nAn easy way to test the package import is using a command like this:\n```sh\ncargo watch -- cargo run --bin rebuildctl -- pkgs sync-profile --print-json --sync-config contrib/confs/rebuilderd-sync.conf tails\n```\n\nBuild a package directly:\n```sh\ncargo run --bin rebuilderd-worker -- \\\n\tbuild debian 'http://deb.debian.org/debian/pool/main/a/anarchism/anarchism_15.3-3_all.deb' \\\n\t--input-url 'https://buildinfos.debian.net/buildinfo-pool/a/anarchism/anarchism_15.3-3_all.buildinfo' \\\n\t--backend 'debian=./rebuilder-debian.sh'\n```\n\n## Dependencies\n\nDebian: pkg-config liblzma-dev libsqlite3-dev libzstd-dev\n\n# Funding\n\nRebuilderd development is currently funded by:\n\n- ~~kpcyrd's savings account~~\n- ~~Google and The Linux Foundation~~\n- People like you and me on [github sponsors](https://github.com/sponsors/kpcyrd)\n\n# License\n\n`GPL-3.0-or-later`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Frebuilderd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkpcyrd%2Frebuilderd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkpcyrd%2Frebuilderd/lists"}