stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
cf5b72974f923126944f4dcd47e85864ebb31a3b
git.stella-ops.org/docs/features/unchecked/binaryindex/reproducible-distro-build-pipeline.md

2.1 KiB
Raw Blame History

Reproducible Distro Build Pipeline (Container-Based Builders)

Module

BinaryIndex

Status

IMPLEMENTED

Description

Container-based reproducible build pipeline for Alpine, Debian, and RHEL packages. Rebuilds upstream source packages in isolated containers to produce reference binaries for function-level fingerprint comparison, enabling backport detection by comparing distro-patched binaries against unpatched originals.

Implementation Details

  • Modules: src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/, src/BinaryIndex/StellaOps.BinaryIndex.Worker/
  • Key Classes:
    • ReproducibleBuildJob (src/BinaryIndex/StellaOps.BinaryIndex.Worker/Jobs/ReproducibleBuildJob.cs) - background worker job using IFunctionFingerprintExtractor and IPatchDiffEngine to rebuild packages and compare fingerprints
    • ReproducibleBuildOptions - build configuration (timeout, container images, source package locations)
    • IReproducibleBuilder (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/IReproducibleBuilder.cs) - abstraction for container-based builds
    • BuilderOptions (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/BuilderOptions.cs) - builder configuration
    • GuidProvider (src/BinaryIndex/__Libraries/StellaOps.BinaryIndex.Builders/GuidProvider.cs) - deterministic GUID generation for reproducibility
  • Integration: Uses IFingerprintClaimRepository to store build verification claims; integrates with IPatchDiffEngine for post-build binary comparison
  • Source: SPRINT_1227_0002_0001_LB_reproducible_builders.md

E2E Test Plan

  • Trigger a reproducible build for a Debian package and verify reference binaries are produced
  • Compare distro-patched binary against unpatched original and verify fingerprint differences
  • Verify container isolation: build runs in isolated container with controlled environment
  • Verify FingerprintClaim records are generated with build provenance evidence
  • Verify GuidProvider produces deterministic GUIDs for identical build inputs
  • Verify backport detection: distro-patched binary with backported fix is correctly identified