Reproducible Builds for recent Debian security updates

Vagrant Cascadian vagrant at reproducible-builds.org
Sun Mar 31 03:29:10 UTC 2024


On 2024-03-29, Vagrant Cascadian wrote:
> So far, I have not found any reproducibility issues; everything I tested
> I was able to get to build bit-for-bit identical with what is in the
> Debian archive.
>
> I only tested bookworm security updates (not bullseye)
...
> Not yet finished building:
>
>   openvswitch

So, the builds of openvswitch failed in the test suite...

... I performed another build with tests disabled, and the amd64
packages were bit-for-bit identical, but one of the arch:all packages,
"openvswitch-source" had an already known issue; embedded information
(username, uid, group, gid, timestamp ...) in the included tarball.

This matches the previous version tested in the reproducible builds test
infrastructure:

  https://tests.reproducible-builds.org/debian/dbdtxt/bookworm/amd64/openvswitch_3.1.0-2.diffoscope.txt.gz

This is an explanable issue and I would say does not indicate anything
surprising or unexpected or malicious, just unfortunate that it is not
bit-for-bit reproducible, as it actually requires analysis!

The good news is that newer versions (~3.2.2+) in Debian trixie and
unstable of "openvswitch-source" fix this by shipping the source in a
directory rather than a tarball, which dpkg normalizes when generating
the .deb. So at least for future versions this issue is already fixed.


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240330/05509546/attachment.sig>


More information about the rb-general mailing list