[rb-general] Different checksum for libgcrypt20

Chris Lamb lamby at debian.org
Fri Jul 12 20:35:30 UTC 2019

Hi Matt et al,,

Morten is entirely correct when he says:

> None of these (pbuild and sbuild) recreate the environment with a BUILDINFO file
> necessary to recreate the hash.

Indeed โ€” at the very least one needs the .buildinfo to ensure you are
exporting the same value for SOURCE_DATE_EPOCH [0] but also to ensure the
same versions of the build-dependencies and other such things. Here is an
random Debian .buildinfo file so you get the rough idea [1].

> All of my builds have been on VM's โ€“ maybe this package requires a
> "bare metal" build host?

(Just a brief/further clarification in that this should not be a factor.)


If you have no luck with making an identical package after using
the .buildinfo, my next step would be then to dig out diffoscope to
determine what the *actual* difference is between the specimen package
and your locally-built one.

Hope that helps...

  [0] https://reproducible-builds.org/specs/source-date-epoch/
  [1] https://gist.github.com/lamby/506cf9da5dd1e3acd97cd1177bc394f6/raw

Best wishes,

     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org ๐Ÿฅ chris-lamb.co.uk

More information about the rb-general mailing list