Minimal Reproducible Arch Linux (4(+2) unreproducible, January 2025 status update)

Holger Levsen holger at layer-acht.org
Wed Jan 22 12:17:22 UTC 2025 

hi kpcyrd,

thanks for this interesting update! & kudos on the progress!

On Wed, Jan 22, 2025 at 12:50:53PM +0100, kpcyrd wrote:
> ## Consensus
> These results are according to:
> - https://reproducible.archlinux.org
> - https://reproducible.crypto-lab.ch

given it's just 4 unreproducible packages I assume you just compared manually?
or, IOW, does arch-repro-status supports querying several servers at once and
comparing the result?
 
> The instance running at https://wolfpit.net/rebuild/ marks some additional
> packages as unreproducible, for example:
> 
> - the `perl` package records something along the lines of `hostname -d`, and
> the wahrwolf instance has a value set for this (`.your-server.de`) while the
> other two don't (`.nonet`).
> - the `unzip` package relies on 31 patches applied on top of the latest
> release(!), it seems one of the patches pulled from `https://src.fedoraproject.org/rpms/unzip/raw/rawhide/f/unzip-6.0-alt-iconv-utf8.patch`
> has been modified recently from sha512:a00e41feede53d42e0eb03d8280664b2a904918fab3c52459d02c07a298dd12e482eb3318c1842933ac3a527308dc5e4871f029b6b79e5bc2b2e1d84fee4fd0f
> to sha512:272abbbc92488bc2f08b230a6f240716ff8204541b3c97752ac42db513ec6c7f2a17b4bdb2c76d68bf8830e0b24a1e8fc2a3948bd8f413dc7eb1ebe88dbad9b6,
> while the Arch Linux PKGBUILD assumes these to be stable. 

interesting find!

> - the `libtool` package has a misunderstanding of copyright and records the
> build year in their man pages, which recently changed, so while this package
> was cleared by the two other rebuilders as "not tampered", it's not
> reproducible anymore.

yes, I think also for rebuilders there should be continous rebuilds,
though with much less frequency than CI builds.

> - the `findutils` package seems to pull `.mo` files from the network during
> build, 

i'm surprised to learn network access is allowed at build time! (so i'm not
surprised such things then happen.)

keep up the great work!


-- 
cheers,
	Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
 ⠈⠳⣄

When you’re used to privilege, equality feels like oppression.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250122/f8a24e91/attachment.sig>

More information about the rb-general mailing list