Possible new category for non-reproducible builds: --build-id=sha1

Bernhard M. Wiedemann bernhardout at lsmod.de
Sun Apr 25 00:26:07 UTC 2021

On 24/04/2021 17.59, Roland Clobus wrote:
> I've looked the reproducible report for apt-cacher-ng [1].
> It looks like it is caused by a linker flag: -Wl,--build-id=sha1

man ld says
> --build-id=style
> If style is omitted, "sha1" is used.

So this is just the default made explicit.

If you see --build-id=uuid it is bad, because it will use randomness
instead of hashing inputs.

If you see variations in build-id with sha1 mode, it means there were
already variations in inputs before and those inputs should be made

Bernhard m.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20210425/6a5df57a/attachment.sig>

More information about the rb-general mailing list