Fw: Build Reproducibility in Debian - Opinion Needed

Bernhard M. Wiedemann bernhardout at lsmod.de
Thu Aug 25 06:38:11 UTC 2022

Muhammad Hassan wrote:
> Do you feel there is potential for detecting build unreproducibility statically (without executing adversarial rebuilds)?

Yes, there are a number of potentially troublesome strings listed in

If one of these gets added, it may be harmless, but would warrant a
rebuild test or closer inspection of the source.

On 24/08/2022 19.37, Chris Lamb wrote:
> Other avenues requiring a single build would include all the instrumention
> approach (eg. strace/systemtap, etc.) taken by a few projects. I think
> Bernhard might be able to speak better on this, and there are some
> academic projects in this area as well.

My strace approach uses
to trigger

I use that to find where unreproducible files come from with

It seems, strace cannot see time syscalls - maybe because those do not
reach the kernel via the linux-vdso.so.1 shortcut.

It would be possible to see accesses to /dev/[u]random and readdir syscalls.

I have also played a bit with ptrace-based
but it needed regular updates as Linux keeps introducing new syscalls.

Bernhard M.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20220825/6c3ac4fb/attachment.sig>

More information about the rb-general mailing list