Minimal Reproducible Arch Linux (4(+2) unreproducible, January 2025 status update)
kpcyrd
kpcyrd at archlinux.org
Wed Jan 22 21:46:58 UTC 2025
On 1/22/25 6:39 PM, Bernhard M. Wiedemann wrote:
> In my https://build.opensuse.org/package/show/
> home:bmwiedemann:reproducible:distribution:ring1/kernel-source
> I added a fixed pubkey - that was enough so it does not create a random
> tmp keypair.
I can imagine this made the kernel image itself reproducible, but are
the modules not signed?
>> ## pam
>>
>> The package contains .pdf documentation generated by 'Apache FOP'
>> which has some `CreationDate` embedded in the first 0x90 bytes that
>> isn't normalized through SOURCE_DATE_EPOCH.
>>
>> https://web.archive.org/web/20250121190809/https://
>> reproducible.archlinux.org/api/v0/builds/714300/diffoscope
>
> I solved pam with 2 two patches in
> https://build.opensuse.org/projects/
> home:bmwiedemann:reproducible:distribution:ring0/packages/xmlgraphics-
> fop/files/reproducible.patch
> and pretty dirty
> https://build.opensuse.org/projects/
> home:bmwiedemann:reproducible:distribution:ring0/packages/xmlgraphics-
> fop/files/test2.patch
Thanks for sharing these. I learned that Apache FOP has been known to be
problematic since soon-to-be 6 years and the status is currently "Won't
fix". 💔
https://issues.apache.org/jira/browse/FOP-2854
https://github.com/apache/xmlgraphics-fop/pull/65
The first patch I could probably get included in Arch Linux, the second
one is likely not going to fly.
Since it seems this problem hasn't been documented in the pam project
itself yet, I've opened a bug asking how they would feel switching to a
documentation system that actually cares:
https://github.com/linux-pam/linux-pam/issues/873
I'm fully aware this isn't something to casually ask for, but what can
we do.
cheers,
kpcyrd
More information about the rb-general
mailing list