Debian and reproducible-builds.org incoherence?
kpcyrd
kpcyrd at archlinux.org
Wed Apr 12 15:49:58 UTC 2023
On 4/12/23 00:18, Alexis PM via rb-general wrote:
> I have obtained the following SHA256 sums:
> 24c2c432361dc226cf054fd19a8ce5f7d3e56143ccf4938b5f5b78f64ac3cae0 fbreader_0.12.10dfsg2-4_amd64.deb
> 1946370694d7c309f20bb11be786a5a0a767eb54da16bd92c6a6ff75d086f526 fbreader_0.12.10dfsg2-4_arm64.deb
> 8f7e19de12ea0a1e32a739be754b7908cfae871520d73a466709c2d178fd0790 fbreader_0.12.10dfsg2-4_armhf.deb
> d6256eed42b37e7d0b6991f29b559d2fae6800a5d1bfb0d20f4e6b86c108a923 fbreader_0.12.10dfsg2-4_i386.deb
> 7385ec87087fd88a899db042524ab3f86a004874f3cb06c3ef3abc0e0231d666 fbreader_0.12.10dfsg2-4_ppc64el.deb
>
> I downloaded and SHA256 calculated the official Debian packages from
> https://packages.debian.org/bullseye/$ARC/fbreader/download
> and additionally check the SHA256 sum indicated at the bottom of the download page of each architecture
> 8eeed0b70ccf6471c621ec12c074e4c487a36498a49721ee914dcb58f92dda1f fbreader_0.12.10dfsg2-4_amd64.deb
> 9ffc7cb7168ddb9509f3abb31e0a3838767c61948c3b0230bbda42039e153eaf fbreader_0.12.10dfsg2-4_arm64.deb
> 36ed2e4cf02ffbbfc6bd9495be5aa097e4fd8eda3dea152ac9630f260e24ba8c fbreader_0.12.10dfsg2-4_armhf.deb
> d77b1cd0a805ef20edc4aa4f31a3305754aba4863847607b007fda036d4dc1a1 fbreader_0.12.10dfsg2-4_i386.deb
> daff7aa4d947a13936510fdae65b2fdfffc767a43c163dda8e96f8e31785994c fbreader_0.12.10dfsg2-4_ppc64el.deb
> I have rechecked the SHA256 sums indicated on the web for each architecture. For example (copy-paste):
> https://packages.debian.org/bullseye/amd64/fbreader/download
> SHA256 checksum 8eeed0b70ccf6471c621ec12c074e4c487a36498a49721ee914dcb58f92dda1f
> In all cases, the SHA256 sums indicated on the download website coincide with the one calculated from those downloaded.
>
> Have I compiled and packaged everything wrong?
The missing piece is the buildinfo file. :)
https://buildinfos.debian.net/buildinfo-pool/f/fbreader/fbreader_0.12.10dfsg2-4_amd64.buildinfo
This describes the environment (and most importantly which packages in
which version were present back then).
For example gcc 4:9.2.1-3 was used to build
fbreader_0.12.10dfsg2-4_amd64.deb, while the gcc version currently in
Debian bullseye is 4:10.2.1-1. The `4:`, `-3`, `-1` are Debian specific,
if we remove them (for the sake of making it simpler to explain) it's
gcc 9.2.1 vs gcc 10.2.1. This alone makes it highly unlikely that both
gcc versions are going to generate an identical binary for the given
source code (other packages that have been updated in the meantime may
have an effect as well).
To reproduce the package on packages.debian.org (the one everybody cares
about), you need:
- this tool: https://github.com/fepitre/debrebuild
- the build info file I linked above.
I've last looked into this early 2022, the command I used back then was:
./debrebuild.py --output="some/dir/" --builder=mmdebstrap --use-metasnap
path/to/fbreader_0.12.10dfsg2-4_amd64.buildinfo
There's a service doing this, run by Frédéric Pierret from QubesOS:
https://beta.tests.reproducible-builds.org/ (results may take a while to
load)
The system at https://tests.reproducible-builds.org/debian/ doesn't use
buildinfo files and always tests with the latest version of all
dependencies, in otherwise very different environments (different
hardware, different system time, different kernel, etc). I've sometimes
referred to this as "build environment fuzzing". It's trying to detect
potential problems as early as possible to make sure it's able to build
them reproducible despite these factors.
I hope this helps, please let me know if anything is still unclear!
Cheers,
kpcyrd
More information about the rb-general
mailing list