This tool can check if an opam package build is reproductible (cf. https://reproducible-builds.org). It installs the package twice (different path & time) and check that installed files have the same hash.
$ opam pin git+https://github.com/rjbou/orb
$ orb pkg [--diiffoscope]
This project is currently in early beta.
orb uses an already installed opam & opam root, and it follows those steps:
- Install of two new switches in
/tmp - Install of packages dependencies
- Install of required packages
- Retrieves hashes of installed files and look for mismatches
- Remove temporary switches
With option --diffoscope, mismatching files are copied locally and their diff
generated, using diffoscope.
As orb generates temporary switches, packages dependencies are installed each
time (also compiler), which can be time consuming when working on a package.
Option --use-switches sw1,sw2 can be used to give reusable switches.
--keep-switches option permit to keep those generated switches for
investigation needs. To manually remove them, don't just remove directory, but
use opam switch remove <sw>.