Bug#876055: Environment variable handling for reproducible builds

[Paul Sherwood <paul.sherwood@codethink.co.uk>]

On 2017-09-18 00:26, Russ Allbery wrote:
> 2. Set the entire environment to the environment specified in buildinfo
>    when doing a reproducible build.  I think this is conceptually the
>    simplest, but it means that we should make every tool that builds
>    official Debian packages use the same environment variable logic so
>    that the buildinfo file completely captures the environment (without
>    leaking random, inappropriate things into buildinfo).  It also means
>    effectively giving up on debian/rules build being a path for making 
> a
>    reproducible build, since we don't have control over that 
> environment,
>    but I think it will be hard to make that work anyway.

FWIW this is the approach we've taken on both of the Baserock build 
tools, and for BuildStream [1].

Given that it's trivially easy for a build script to try to call out to 
the internet (eg fetch tarball, git clone), or look for custom 
environment variables, we think it's clearly safest to put everything in 
a sandbox and be explicit about resources, network and environment 
variables.

br
Paul

[1] https://wiki.gnome.org/Projects/BuildStream/