We’ve released launchpad-buildd 163 and deployed it to production. This makes a few changes relevant to building snaps:
Snaps may be configured to build from a git tag rather than a branch. Branches are usually the right thing to use since tags shouldn’t normally be moved after once being set, but this may be useful in corner cases. (#1687078)
Some build systems have had difficulty with the authenticated proxy used for external network access. To fix this, the buildd now runs its own local unauthenticated proxy which proxies through to the real one and deals with authentication transparently, and points snapcraft to that instead. A number of build systems work better with this change: we’ve seen improvements in builds using ant, gradle, and jhbuild. (There are still problems with at least maven-ant-tasks, although we have some ideas for how to tackle that.) (#1690834, #1753340)
Sorry about this late comment. But I wanted to note that git tags aren’t safe in build systems. Or at least makes sure that it’s mentioned and considered. I haven’t yet seen anyone stating “git tags to be considered harmful” or something like that, but it’s worth discussing, no? Here’s my comment from Launchpad:
Whereas branches are very obviously intended for a “latest” pull without any further verification, it’s important to note about git tags:
They can be edited.
This of course will not guarantee reproducible builds, for whatever reason they would be idealized.
However, for malicious purposes: If you tag something “v1.2.3” and then have it built and released with some backdoor, it’s easy to cover up the tracks by force-pushing and overwriting the tag.
Therefore, as I understand it, git commit hashes are the safer alternative. They cannot be changed - they can be deleted of course, but not changed.