trying to reproduce hello-traditional from Debian. .buildinfo file? next steps?

Vagrant Cascadian vagrant at reproducible-builds.org
Wed Aug 2 17:24:23 UTC 2023


On 2023-08-02, Carles Pina i. Estany wrote:
> This is Debian specific but I cannot find a reproducible builds Debian
> specific mailing list. Let me know if I should ask elsewhere. Feel free
> to send me some pointers to read it myself.

There is also reproducible-builds at lists.alioth.debian.org more
specifically for Debian, although rb-general works too. We can all learn
from the quirks of other projects. :)


> TL;DR: I'm trying to build hello-traditional from Debian and have the
> same result as Debian. I cannot do it. Pointers welcome. I thought of
> using the .buildinfo file to reproduce the build environment and deps
> but unsure of the best way and if this is the way.

Yes, you usually need to use the same packages as listed in the
.buildinfo, and in general the same build path (tools like sbuild and
pbuilder randomize the build path by default). Although it looks like
hello-traditional is generally reproducible with varied build paths, so
more likely it is just different build dependencies.

It is sometimes possible to get bit-for-bit identical results even with
some variations in the build-dependencies, but it is not expected. More
like a happy fluke of luck. :)


> I'm trying to reproduce the build of the package hello-traditional. I
> understand from here:
> https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/hello-traditional.html
>
> That should be reproducible.
>
> I've done:
> $ sbuild --no-clean --arch-any --arch-all --no-source --dist=stable --arch=amd64 http://deb.debian.org/debian/pool/main/h/hello-traditional/hello-traditional_2.10-6.dsc
>
> Multiple times in two Debian systems (Debian 12.1 and 11.7, I know that
> should only depend on the schroot...) and every time I get:
>
> f712bac966e8fc2d1660bc5d61328a8e9f8354a93c119bb2137169dbdaeb22ab  hello-traditional_2.10-6_amd64.deb

So yeah, bookworm is now a stable release, so barring security or point
release updates, you are very likely to get the same exact packages
installed way more often than in testing or unstable.


> But the package that I can retrieve from Debian has a different sha256:
> $ curl -s http://ftp.de.debian.org/debian/pool/main/h/hello-traditional/hello-traditional_2.10-6_amd64.deb | sha256sum
> e39004ec8c3309f909d5442596f9fc442082cd8e28f03e7c438a65fb5bfd9956  -

But the hello-traditional on Debian's mirror was built in december of
2022, several months before the bookworm release, and many build
dependencies have since changed...


> And my question is: how to achieve the same Build ID?
>
> I thought of using the .buildinfo file from:
> https://tests.reproducible-builds.org/debian/buildinfo/bookworm/amd64/hello-traditional_2.10-6_amd64.buildinfo
>
> But I'm not sure what is the best way (besides installing the same exact
> packages in the schroot and setting the Environment) to do it. And I'm
> not sure that this is the way to go anyway, tool that might exist, etc.

There is some tooling to try to reproduce the exact build environment,
although it is somewhat hindered by issues with snapshot.debian.org. If
you're lucky, you might get it to work. There is a work-in-progress
replacement, but I am not sure of the status at this moment.


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20230802/baaa443d/attachment.sig>


More information about the rb-general mailing list