Possible new category for non-reproducible builds: --build-id=sha1 -> actually cmake_rpath_contains_build_path_issue

Roland Clobus rclobus at rclobus.nl
Sun May 30 16:30:27 UTC 2021

Hello again,

On 25/04/2021 02:26, Bernhard M. Wiedemann wrote:
> On 24/04/2021 17.59, Roland Clobus wrote:
>> I've looked the reproducible report for apt-cacher-ng.
>> It looks like it is caused by a linker flag: -Wl,--build-id=sha1

> If you see variations in build-id with sha1 mode, it means there were
> already variations in inputs before and those inputs should be made
> deterministic.

On 24/04/2021 22:53, Santiago Torres Arias wrote:

Thank you for responding and providing pointers for further thought.

I've bug deeper into the apt-cacher-ng package [3]. It turned out that
there were two reasons for non-reproducibility: locales #988976 and
build-id #989203

The build-id issue is a known issue [1][2] caused by CMake and its
default behaviour to add an rpath to be binary. Upon installation the
rpath bytes are zeroed. This means effectively that 1) the length of the
build path is leaked 2) the build-id is not recalculated.
The diffoscope output was not easy to interpret, because many of the
debugging symbols had a new base-address (due to the different length of
the rpath).

In order to find this type of issue easier
A) Reprotest could be extended to run with a build path of the same
length as the original code, which would only show a difference in the
build-id (instead of AND a difference in build-id AND a different length
of the binary with shifted addresses for many functions)
B) Diffoscope could explicitly extract the rpath from the binary, to see
whether it is of build-path-length and contains only '\0' bytes.

With kind regards,
Roland Clobus

[1] https://reproducible-builds.org/docs/deterministic-build-systems/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20210530/1127cd1e/attachment.sig>

More information about the rb-general mailing list