stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
822a92faeebbceea6fa005b7eddb7572a8b29b41
git.stella-ops.org/docs/features/checked/binaryindex/reproducible-distro-build-pipeline.md
master 5bca406787 save checkpoint: save features
2026-02-12 10:27:23 +02:00

2.7 KiB
Raw Blame History

Reproducible Distro Build Pipeline (Container-Based Builders)

Module

BinaryIndex

Status

VERIFIED

Description

Container-based reproducible build pipeline for Alpine, Debian, and RHEL packages. Rebuilds upstream source packages in isolated containers to produce reference binaries for function-level fingerprint comparison, enabling backport detection by comparing distro-patched binaries against unpatched originals.

Implementation Details

  • Modules: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/, src/BinaryIndex/StellaOps.BinaryIndex.Worker/
  • Key Classes:
    • ReproducibleBuildJob (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/ReproducibleBuildJobTypes.cs) - orchestrates distro-specific builds and fingerprint/patch-diff attribution
    • ReproducibleBuildJob compatibility implementation (src/BinaryIndex/StellaOps.BinaryIndex.Worker/Jobs/ReproducibleBuildJob.cs)
    • ReproducibleBuildOptions (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/ReproducibleBuildJobTypes.cs) - build configuration (timeouts, architecture, concurrency)
    • IReproducibleBuilder (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/IReproducibleBuilder.cs) - abstraction for container-based builds
    • BuilderServiceOptions (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/BuilderOptions.cs) - builder infrastructure configuration
    • GuidProvider (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/GuidProvider.cs) - deterministic GUID generation for reproducibility
  • Integration: Uses IFingerprintClaimRepository to store build verification claims; integrates with IPatchDiffEngine for post-build binary comparison
  • Source: SPRINT_1227_0002_0001_LB_reproducible_builders.md

E2E Test Plan

  • Trigger a reproducible build for a Debian package and verify reference binaries are produced
  • Compare distro-patched binary against unpatched original and verify fingerprint differences
  • Verify container isolation: build runs in isolated container with controlled environment
  • Verify FingerprintClaim records are generated with build provenance evidence
  • Verify GuidProvider produces deterministic GUIDs for identical build inputs
  • Verify backport detection: distro-patched binary with backported fix is correctly identified

Verification

  • Run ID: run-001
  • Verified at: 2026-02-12T06:09:39.1151882Z
  • Evidence:
    • docs/qa/feature-checks/runs/binaryindex/reproducible-distro-build-pipeline/run-001/tier0-source-check.json
    • docs/qa/feature-checks/runs/binaryindex/reproducible-distro-build-pipeline/run-001/tier1-build-check.json
    • docs/qa/feature-checks/runs/binaryindex/reproducible-distro-build-pipeline/run-001/tier2-e2e-check.json