Skip to content

Add github release workflow for reproducibly-built debian package #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ameba23 wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add github release workflow for reproducibly-built debian package #76

ameba23 wants to merge 7 commits into from

Conversation

@ameba23
Copy link
Collaborator

@ameba23 ameba23 commented Jan 5, 2026
edited
Loading

This copies the workflow for debian packaging from rbuilder:

  • Adds a cargo profile for reproducible builds, and metadata for debian package to Cargo.toml
  • Adds a Makefile which can build using cargo-deb
  • Adds a Dockerfile which runs the packaging

TODO:

  • Github release workflow which runs the Dockerfile and uploads the packaged artifacts

Here is a test release built on this branch:
https://github.com/flashbots/attested-tls-proxy/releases/tag/vtest00

@ameba23 ameba23 marked this pull request as draft January 5, 2026 09:35
@ameba23 ameba23 requested a review from bakhtin January 5, 2026 10:09
@ameba23 ameba23 marked this pull request as ready for review January 5, 2026 10:09
ameba23 added 2 commits January 5, 2026 11:19
@ameba23
Merge branch 'main' into peg/debian-package
602f880 
* main:
  Remove check enforcing client auth with client attestation
  Allow no client auth
@ameba23
Rm workflow stage for docker
76bafe2
MoeMahhouk
MoeMahhouk reviewed Jan 6, 2026
View reviewed changes
Cargo.toml Outdated
inherits = "release"
lto = "thin"
panic = "abort"
codegen-units = 1
Copy link
Member

@MoeMahhouk MoeMahhouk Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not all projects would require the codegen-units = 1 to be reproducible. I added this to the Reth code-base because it was the only way to make the build reproducible but it comes at the cost of build time. Meanwhile, I was able to make lighthouse build reproducible without it (see PR).
You could try using the release profile and see if despite the reproducible flags you are setting in the makefile, it still produce the same hash or a different one upon two subsequent fresh clean builds.

Copy link
Collaborator Author

@ameba23 ameba23 Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok - i removed this and still get the same .deb file on two subsequent builds without docker cache - but not sure if there is a more rigorous way to check for reproducibility.

Copy link
Member

@MoeMahhouk MoeMahhouk Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good question, usually I try to fresh build the binary/deb on 2-3 different host machines with slightly different setup and hardware specs to double check if all end up with identical hashsums. I compare them also with the results of github workflows.
We could also have something similar to flashbots-images where we create a lima build env to emulate the setup config but that might be a bit overkill.
Maybe @bakhtin has a middle solution that fits the purpose here

Copy link
Collaborator Author

@ameba23 ameba23 Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

usually I try to fresh build the binary/deb on 2-3 different host machines with slightly different setup and hardware specs to double check if all end up with identical hashsums. I compare them also with the results of github workflows.

Good idea.

We could also have something similar to flashbots-images where we create a lima build env

Im not so into lima because of the difficulties of using it in CI.

.github/workflows/release.yaml
Copy link
Member

@MoeMahhouk MoeMahhouk Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in case it is helpful for you, here is a draft PR where I am adding reproducible debian packaging to lighthouse

ameba23
ameba23 commented Jan 6, 2026
View reviewed changes
scripts/check-reproducibility.sh
@@ -0,0 +1,14 @@
#!/usr/bin/env bash

# Checks reproducibility by running a package build twice and printing hashes of .deb package
Copy link
Collaborator Author

@ameba23 ameba23 Jan 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Im not sure to what extent this really shows that the build is reproducible, but its better than nothing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MoeMahhouk MoeMahhouk MoeMahhouk left review comments

@bakhtin bakhtin Awaiting requested review from bakhtin

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ameba23 @MoeMahhouk