Call for real-world scenarios prevented by RB practices

Richard Purdie richard.purdie at
Fri Mar 25 09:57:57 UTC 2022


On Tue, 2022-03-22 at 12:46 +0000, Chris Lamb wrote:
> Just wondering if anyone on this list is aware of any real-world
> instances where RB practices have made a difference and flagged
> something legitimately "bad"?
> Pretty sure that everyone here believes that reproducible builds *can*
> detect such issues (and might even prevent them from being attempted
> in the first place), but would be interested in anything that has been
> made public that can be specifically credited to reproducible builds
> practices or similar.

As we underwent this work with Yocto Project (which cross compiles), the biggest
thing we found were floating dependencies, for example where code would change
configuration depending on whether the host has /usr/bin/sendmail or not.

A second class of issues for us were build paths leaking into output binaries.
Our reproducible build tests always build in two different locations so we're
pretty happy to have that class of issues resolved now.

I pulled out a few random examples of things we've fixed:

A fun rpm issue where rpms built on an aarch64 host differed from those built on
an x86_64 system:

Broken file ownership in output packages from build races:

gtk+3 shipping a file but also sometimes regenerating it during build:

Makefile globing leading to varying binary output:

Host paths to grep/python leaking into the output:

Sendmail path issue example:

Most of these aren't malicious but they are "bad" in the sense that we wanted to
identify and fix them.



More information about the rb-general mailing list