Minimal Reproducible Arch Linux (4(+2) unreproducible, January 2025 status update)

kpcyrd kpcyrd at archlinux.org
Wed Jan 22 11:50:53 UTC 2025 

Dear list,

I rechecked my VM that I tried to build with "reproducible only" Arch 
Linux packages, last year there was only the Linux kernel missing, there 
have been some regressions that I've investigated.

Most other packages I could uninstall, but uninstalling these 4 would 
result in either making the system unbootable, or uninstalling the 
package manager.

I'm also sharing these here since none of them seem Arch Linux specific, 
but rather issues that could be fixed upstream.

## curl

The binary itself is reproducible but the zsh completions seem 
undeterministic. I triaged this bug today and it's because the 
completions are derived from `curl --help all` output, which in turn 
queries the terminal window size and includes extra spaces for padding 
that are not normalized by the zsh-completions build script:

https://github.com/curl/curl/issues/16072

https://web.archive.org/web/20250121190753/https://reproducible.archlinux.org/api/v0/builds/722464/diffoscope

## kbd

The keymap files are gzip compressed and the header contains timestamps 
(lack of `gzip -n`).

This was fixed recently, but hasn't been released yet:

https://github.com/legionus/kbd/commit/eebaa3b69efd9e3d218f3436dc43ff3340020ef5

https://web.archive.org/web/20250121190803/https://reproducible.archlinux.org/api/v0/builds/715382/diffoscope

## linux

This has been discussed on this list a few times recently (there's 
progress on the LKML tho \o/).

https://lore.kernel.org/lkml/20250120-module-hashes-v2-0-ba1184e27b7f@weissschuh.net/

## pam

The package contains .pdf documentation generated by 'Apache FOP' which 
has some `CreationDate` embedded in the first 0x90 bytes that isn't 
normalized through SOURCE_DATE_EPOCH.

https://web.archive.org/web/20250121190809/https://reproducible.archlinux.org/api/v0/builds/714300/diffoscope

---

## Consensus

These results are according to:

- https://reproducible.archlinux.org
- https://reproducible.crypto-lab.ch

The instance running at https://wolfpit.net/rebuild/ marks some 
additional packages as unreproducible, for example:

- the `perl` package records something along the lines of `hostname -d`, 
and the wahrwolf instance has a value set for this (`.your-server.de`) 
while the other two don't (`.nonet`).
- the `unzip` package relies on 31 patches applied on top of the latest 
release(!), it seems one of the patches pulled from 
`https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-6.0-alt-iconv-utf8.patch` 
has been modified recently from 
sha512:a00e41feede53d42e0eb03d8280664b2a904918fab3c52459d02c07a298dd12e482eb3318c1842933ac3a527308dc5e4871f029b6b79e5bc2b2e1d84fee4fd0f 
to 
sha512:272abbbc92488bc2f08b230a6f240716ff8204541b3c97752ac42db513ec6c7f2a17b4bdb2c76d68bf8830e0b24a1e8fc2a3948bd8f413dc7eb1ebe88dbad9b6, 
while the Arch Linux PKGBUILD assumes these to be stable. For .tar.gz 
soure code releases there's a common assumption they can't change 
without a version number change, with patch files there isn't 
necessarily, so software in a similar situation to unzip tends to be in 
a fairly fragile state and should be avoided: 
https://src.fedoraproject.org/rpms/unzip/c/8ce8569f5add999ea9e957341d772eeca165f117?branch=rawhide
- the `libtool` package has a misunderstanding of copyright and records 
the build year in their man pages, which recently changed, so while this 
package was cleared by the two other rebuilders as "not tampered", it's 
not reproducible anymore.
- the `findutils` package seems to pull `.mo` files from the network 
during build, the Belgian findutils.mo changed from "PO-Revision-Date: 
2024-04-15 21:24+0300\n" to "PO-Revision-Date: 2024-09-06 17:22+0300\n", 
I couldn't figure out where/how this is fetched, I suspect it has to do 
with `./bootstrap` and `autopull` (the later I never heard of before). 
This package was reproduced, but is also not reproducible anymore.
- the `gdbm` package fails to build because 
https://translationproject.org/PO-files/sr/gdbm-1.23.90.sr.po was 
modified from 
sha512:0081120a95238c47884b5ae25398cdb43fb18faa7b8e3417673de3aaac74871814ffbf5a878726cd4bf4805f8a33404054f0fe068ce2b4221e38d173f61255ee 
to 
sha512:5ebb31a9b90ccbb529a53293811b7df6c640547f6c3133603114e2db38406a95624ae12a2d71e24851780bb2995809863a478b9020e21da8c39880c8e8ffa857, 
this is surprising because it seems to belong to a versioned release 
(translation_version=1.23.90), I'm not sure where to report this.

Some of them I could remove from my minimal installation though.

cheers,
kpcyrd

More information about the rb-general mailing list