Skip to content

Modularization of our reproducible build system

About

tor-browser-build contains many necessary pieces in our reproducible builds system that are generic and not tied to Tor Browser specifically (e.g. container creation, dealing with old artifacts etc.). Other projects like Namecoin, Ricochet-Refresh etc. need to work around that by forking that repository and kind of keeping it up-to-date with latest upstream changes.

To make the adoption of our reproducible builds system easier we should split up the tor-browser-build parts into a generic project and Tor Browser specific parts. See: https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40350 for the tracking bug and discussion so far.

Team (add yourself here if you want to join)

Geko (you can find him in irc)

boklm

Skills needed:

having worked with a rbm/tor-browser-build build system before or willing to do so

willing to touch Perl code

Where can we be found: we are hanging around on #tor-dev on OFTC's IRC network (or the respective Matrix channel) and when we need to meet we can use either #tor-meeting or #tor-meeting2.

How can I join: joining the project is easy, just say "Hi!" on #tor-dev or ping me (GeKo). We'll keep notes as we go on this pad trying to enumerate potential tasks which folks can then pick up. Otherwise, just ask.

Potential tasks to work on:

map out what we need to do for getting the modularization off the ground

Add support for multiple rbm.conf files

https://gitlab.torproject.org/tpo/applications/rbm/-/issues/40027

Add support for multiple projects directories

https://gitlab.torproject.org/tpo/applications/rbm/-/issues/40028

Splitting up rbm.conf

Add default remote_start/remote_exec/remote_put/remote_get/remove_finish for containers

https://gitlab.torproject.org/tpo/applications/rbm/-/issues/40029

what about (this is tor-browser-build#40542 now)

debug

has already default option in RBM

compress_tar

default option in RBM

output_dir

has already default option in RBM

tmp_dir

has already default option in RBM

build_log

has already default option in RBM

pkg_type

has already default option in RBM

buildconf: num_procs

default option in RBM (getting it via `nproc`)

buidconf: git_signtag_opts

seems pretty tor-browser-build-specific for now

ENV

maybe we can move that to the default rbm config

gpg_wrapper

maybe we can move that to the default rbm config (rbm/lib/RBM/DefaultConfig.pm), adding an option to enable/disable expired keys

targets: no_build_id

targets: no_containers

I think we can move this to the container module

var: sort_deps

this is used in projects/container-image/config, so I think we should move it to the container module (modules/container/rbm.module.conf)

var: build_id

var: build_id_txt

this currently depends on container options, so maybe we should move that to the container module. Although it would be nice to have it in the default rbm config. Maybe we can have some basic version in default rbm config, with some way for modules like container to extend it. (happens in rbm#40041)

var: container

I think we should move that to the container module, renaming it to something like var_container (depending on which convention we use for naming options from modules)

var: input_files_list

it looks like we don't use input_files_list anywhere, so we might be able to remove it

var: faketime

maybe in default rbm config

var: touch

maybe in default rbm config

var: sign_build

var: sign_build_gpg_opts

this is only used in projects/release, so maybe keep it in tor-browser-build. Maybe that can be moved to projects/release/config.

var: rezip

currently we only use that in projects/firefox/build. Maybe we should move it to projects/firefox/config, unless we have plans to use it in other places

var: set_default_env

this is similar to var/build_id. It currently depends on a container option, so easiest is to move it to the container module. Unless we find some mechanism to allow modules to extend it, in which case we can move it to the default rbm config.

some way to allow extending set_default_env in modules would be adding something like this at the end of set_default_env, which would allow setting container specific things in `module_container/set_default_env`:

[% FOREACH module IN c("modules").keys.sort; GET c("module_" _ module _ '/set_default_env'); END -%] (work happens in rbm#40041

I think we can use some naming convention like this to make it more clear where options come from [+1; your proposal sounds good to me]:

var/name for options defined in tor-browser-build.git or other non-module repos

var_$module/name for options defined in a module (for example we would rename var/deps to var_container/deps)

name for options defined in default rbm config

Where do we document the whole new setup now that tor-browser-build becomes just a project among others? There will be tor-browser-build related documentation changes, sure. But we'd benefit from a general outline for someone who wanted to get started and use rbm for their project in a modularized world. While I like the idea of having "Reproducible builds at Tor", say, on a wiki page in /applications/team it might not be the right place for that general part. (we have now tor-browser-build#40543)

Where do we keep rbm.local.conf.example? [nothing to do here; it's up the respective project whether to make some config example available and, if so, how]

Split up the keyring in case we have modules (like the container one) that use keys currently being in tor-browser-build

we need to add support in rbm for keyring directories in modules (happens in rbm#40028 as well)

Where do we keep non-Tor Browser specific tools (in tor-browser-build/tools)?

keyring management scripts XXX

cleaning up old builds (clean-old, prune-old-builds (do we still need that one at all?)

for the clean-old script, I think we can replace it with rbm#25719 and add some rbm command to clean files not used in the last X days/months (sounds good to me)

for prune-old-builds I think it's only used in automated nightly builds, so we can keep it in tor-browser-build for now

get project X adapted to the modularized world

working on metrics-build (hackweek branch) for that right now

https://gitlab.torproject.org/gk/metrics-build

decide which parts of tor-browser-build.git should be moved to a separate module (I guess that's to be decided by the team but starting with a container module is probably unproblematic)

wishlist: add more comments and internals-documentation to RBM internals [Do you have anything in particular in mind? That is: is there a part that is dense in particular? Or is everything in a similar need of comments/documentation? --GeKo]