Minimal Reproducible Arch Linux (4(+2) unreproducible, January 2025 status update)

kpcyrd kpcyrd at archlinux.org
Wed Jan 22 13:45:05 UTC 2025 

On 1/22/25 1:17 PM, Holger Levsen wrote:
> thanks for this interesting update! & kudos on the progress!

thank you!

> given it's just 4 unreproducible packages I assume you just compared manually?
> or, IOW, does arch-repro-status supports querying several servers at once and
> comparing the result?

I did this somewhat manually with the following 3 commands:

arch-repro-status
arch-repro-status -r https://reproducible.crypto-lab.ch
arch-repro-status -r https://wolfpit.net/rebuild/

The pacman-bintrans tool is able to query multiple instances to 
implement thresholds, but this tool only becomes relevant once a minimal 
reproducible install is achievable.

>> - the `libtool` package has a misunderstanding of copyright and records the
>> build year in their man pages, which recently changed, so while this package
>> was cleared by the two other rebuilders as "not tampered", it's not
>> reproducible anymore.
> 
> yes, I think also for rebuilders there should be continous rebuilds,
> though with much less frequency than CI builds.

I agree, occasionally rebuilds every once in a while (like every 4-12 
weeks) seem inevitable.

>> - the `findutils` package seems to pull `.mo` files from the network during
>> build,
> 
> i'm surprised to learn network access is allowed at build time! (so i'm not
> surprised such things then happen.)

There's a few build systems that use network access and are well behaved 
(for example cargo uses crates.io but their Cargo.lock cryptographically 
pins the content of all network resources, but also composer, go, npm, 
... are all well-behaved in properly setup projects).

 From my gut feeling it's mostly externally managed translation files 
that are not considered "proper source code" causing issues.

---

I filed issues/patches for some packages now:

- findutils: 
https://gitlab.archlinux.org/archlinux/packaging/packages/findutils/-/issues/1
- gdbm: 
https://gitlab.archlinux.org/archlinux/packaging/packages/gdbm/-/issues/1
- perl: 
https://gitlab.archlinux.org/archlinux/packaging/packages/perl/-/merge_requests/9

I also uploaded a new build for the unzip package, but since there 
hasn't been a release in over 15 years and their forum being down, maybe 
this software should be considered end-of-life and euthanized (if nobody 
is willing to start a proper fork - but I digress).

cheers,
kpcyrd

More information about the rb-general mailing list