[rb-general] Paper rough sketch about reproducible builds...

Bernhard M. Wiedemann bernhardout at lsmod.de
Thu May 11 11:24:47 CEST 2017

On 2017-05-07 16:46, Justin Cappos wrote:
> Based upon the conversations I had with everyone at the reproducible
> builds summit in Hamburg, I sketched out some rough ideas about how a
> potential paper might go.
>  https://drive.google.com/file/d/0B9jHgwYYz72TdlFTOHJWVmprSEU/view?usp=sharing 
> I would think that emphasizing some of the community's experiences with
> using reproducible builds to find other bugs will be the most compelling
> stance to take.  I also (over?)state the philosophy of fixing
> reproducibility bugs upstream as an effective way to find more of these
> issues.
> Feedback is certainly welcome.  At this point feedback about the very
> broad ideas and assertions is more useful than noting I misunderstood or
> misstated a specific point.  I'm new to this community, so I apologize
> in advance for any errors.  

Overall, I think, it is valid to present 'finding bugs' as one very
useful effect of our RB efforts, though I'm not sure, if I would call it
the biggest one.
https://reproducible-builds.org/docs/buy-in/ lists some other reasons.
E.g. for openSUSE I usually tell people about the savings in build time
and mirror bandwidth when we update one piece of software (e.g. gcc) and
then have to rebuild and republish less of the dependency tree (happens
automatically in OBS).
That mostly applies to openSUSE Tumbleweed (aka Factory) which is our
rolling release distribution, updated daily after automated testing done
by openQA (which also finds plenty bugs, but different types).

'official definition' = https://reproducible-builds.org/docs/definition/

Some examples of build time data corruption bugs I discovered when
working on reproducible builds:
 => http://rb.zq1.de/compare.factory-20170410/exo-compare.out
 => http://rb.zq1.de/compare.factory-20170410/gedit-plugins-compare.out

 = https://savannah.gnu.org/support/index.php?109234
 => http://rb.zq1.de/compare.factory-20170110/ocserv-compare.out

and a recent issue (not tracked in bugzilla yet) where we generate
python2 and python3 packages in one run and if those were done within
the same second, python's setup.py would think it is already done.
 => http://rb.zq1.de/compare.factory-20170428/python-bottle-compare.out

and some less severe issues

plus some leftover processes when not building in a disposable KVM VM.

So that makes mostly race-conditions found by me, which is a class of
bugs that can be easy to miss and hard to fix (because it does not
trigger every time and enabling extra debug output can modify the timing
so that the bug does not trigger).

And some typo fix for you:
-a unexpected
+an unexpected

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20170511/447343f4/attachment.sig>

More information about the rb-general mailing list