[rb-general] reproducible anything

Bernhard M. Wiedemann bernhardout at lsmod.de
Mon Oct 8 17:27:52 CEST 2018


On 08/10/2018 16.47, Holger Levsen wrote:
> On Fri, Sep 28, 2018 at 01:29:16PM +0000, Orians, Jeremiah (DTMB) wrote:
>> Long game we probably need to practice what we preach and cross-building needs to be something we all seriously consider as essential.
>> Can NetBSD build Debian packages with identical checksums to the Debian packages built on Arch, GuixSD and Debian?
>> Can NetBSD programs be built on Arch, GuixSD and Debian be identical to the same programs built on NetBSD?
>>
>> What are your thoughts?
> 
> I am with David here, I think it's more important to get something
> working into users hands first, than trying to aim for the perfect
> solution. So while these cross-building efforts are super interesting
> and also useful, I think we should aim for native builds reproducible first.

I might not have stated it clearly enough:
This 'noarch' issue did already break native verification of
reproducibility in at least 2 different cases.

One minor issue was from an (unreproducible) .pdf in a noarch package
that was later copied from there into an arch-dependent package.
https://github.com/openSUSE/open-build-service/issues/5784

The other was worse:
https://bugzilla.opensuse.org/show_bug.cgi?id=1109470
using an arch-dependent file from a noarch package to decide which
Library runpaths remain in a binary.
This prevented users from verifying that binaries in 760 packages were
correctly built, because only 1 noarch package is ever published
(even though OBS-internally, there is 1 per arch used)

And apart from that, this work already found some interesting
well-hidden bugs from arch-specific build-time data-corruption
https://bugzilla.opensuse.org/show_bug.cgi?id=1109949
https://bugzilla.opensuse.org/show_bug.cgi?id=1109541


> And I want reproducible Debian *much* earlier, so I advocate for doing
> rebuilds of buster in those same pathes... I know this is "wrong",
> packages should be reproducible in any path, but I want reproducible
> Debian *before* that is the case.

I'm completely with you there. I'm already using a highly normalized
build-env for openSUSE tests (including constant build user, path,
umask, timezone etc)
to solve the other, more pressing issues first (i.e. indeterminism from
timestamps, readdir, hashes, races, random, CPU-detection, ASLR, PGO).


How are 'all' arch packages built in Debian?
If you publish only results from one arch there, they are effectively
cross-built already.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20181008/2db666ee/attachment.sig>


More information about the rb-general mailing list