What about reproducible builds?

Hey guys! Is there a plan to guarantee reproducible builds in the future? I am talking about both server and clients. To my mind this is an important topic in the current time. Especially because there are a few community members which compile the Seafile sources to other platforms. This is really nice (!) but I think a bit about security…

3 posts were split to a new topic: Better testing for Seafile Server

I don’t think this is of much value. I’d expect it to be much work. People being concerned can actually review the whole source and build the Software on their own. Where I would agree that the build process is not documented well for all platforms (especially for Windows).

1 Like

I don’t think this is as much work as most of the people think. There are nice documentations on who to guarantee reproducible builds, for example on: https://reproducible-builds.org/docs/
Many projects are currently working on or already have a reproducibly build process, e.g.

  • Debian
  • Arch Linux
  • coreboot
  • F-Droid
  • Tor Browser

However, I don’t demand this for Seafile but wanted to know whether the developers of Seafile are generally instrested in reproducible builds and maybe think about that in the future. As stated before, I think this is a big step towards more security for the normal users who don’t want to compile from source.

I’m no Seafile developer. Maybe they think something else.

The link provided supports my estimation imho. Looks like quite some work.

I fully support this from a security point of view.

(And leave the “amount of work” to those that will do it, of course)

For the Seafile Client packages that we are working on getting into the main Debian archive, you can have a look at their reproducibility reports here:

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/libsearpc.html
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/ccnet.html
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/seafile.html
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/seafile-client.html

Looking quite good.

1 Like

Thanks, that looks very promising! Do you - or somebody else - know whether there is an intention to include the server in the future as well?

The server won’t be officially packaged for Debian.

Thanks for the information. What a pity!

The development cycle for the server isn’t compatible with the release philosophy of Debian - maintaining such a package would probably be a living hell of backporting fixes while fending of annoyed users that want to have new features…
So we agreed that it’s best to leave the server for self-installing.

2 Likes

They should provide their on package repo for supported distros and compile all of them themself and not just through community members.

That would be nice but it should work automatically because of lack of man power. I’m not sure which hard- and software the Seafile developers are using for building software - probably Debian?

If propperly setup this does not require much man power at all. Only occasionally for updates to the build system and process. I’m done with this. Either they want to support a bigger user and client base or they simply don’t understand it and will keep ignoring it. :frowning: