From vagrant at reproducible-builds.org  Mon Jun  1 04:59:53 2026
From: vagrant at reproducible-builds.org (Vagrant Cascadian)
Date: Sun, 31 May 2026 20:59:53 -0700
Subject: Bug#1138608: grub2: reproducible builds: non-deterministic ordering
 in lintian overrides
Message-ID: <87pl2ax64m.fsf@wireframe>

Source: grub2
Severity: normal
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org

Both grub-xen-dbg and grub-xen-bin generate their lintian overrides from
debian/rules using find, which may return results in a non-deterministic order:

  https://reproduce.debian.net/amd64/api/v1/builds/153376/artifacts/383903/diffoscope
  https://reproduce.debian.net/amd64/api/v1/builds/153376/artifacts/383902/diffoscope

The attached patch sorts each of the find calls used to generate the
lintian overrides, which should result in a deterministic ordering... at
least if the locale is consistent (which it should be with
buildd.debian.org vs. reproduce.debian.net)... the proposed fix for
https://bugs.debian.org/991928 might also help with varying locales.

This does not resolve all reproducibility issues in grub2 (there are a
few other bugs with patches filed that will partly help), but it should
at least fix those two packages!

live well,
  vagrant

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-debian-rules-Sort-calls-to-find-when-generating-lint.patch
Type: text/x-diff
Size: 4033 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260531/cc065612/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260531/cc065612/attachment.sig>

From vagrant at reproducible-builds.org  Mon Jun  1 06:05:25 2026
From: vagrant at reproducible-builds.org (Vagrant Cascadian)
Date: Sun, 31 May 2026 22:05:25 -0700
Subject: Bug#991926: grub2: reproducible builds: timestamps in info pages
In-Reply-To: <878s1f4ktg.fsf@ponder>
References: <878s1f4ktg.fsf@ponder> <878s1f4ktg.fsf@ponder>
Message-ID: <87mrxex33e.fsf@wireframe>

On 2021-08-05, Vagrant Cascadian wrote:
> Timestamps are embedded in the info pages shipped in grub2-common:
>
>   https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/grub2.html
>
>   ./usr/share/info/grub.info-1.gz
>
>   ...27?August?2022
>   vs.
>   ...24?July?2021
>
>
> The attached patches fix this by removing the UPDATED parts from
> docs/grub-dev.texi and docs/grub.texi.

I have confirmed that this issue is still present and that the patch
fixes the issue.


> There are still several other outstanding issues affecting the
> reproducibility of grub2(including other timestamp issues), but this
> should help reduce the differences to troubleshoot the remaining issues.

Would you be amenable to an NMU of grub2 to fix this timestamp issue
(#991926) and several of the other outstanding reproducibility issues?

  https://bugs.debian.org/991928 (locales)
  https://bugs.debian.org/991927 (/bin/sh vs. /bin/bash)
  https://bugs.debian.org/1138608 (ordering in lintian overrides)

There are still some remaining issues, but this would at least fix a few
of the packages produced by grub2 that are not building reproducibly:

  https://reproduce.debian.net/excuses.html?source_name=grub2


Am looking at the other issues too, but since some are nearly 5 years
old... it would be nice to get them fixed to reduce the noise. :)


live well,
  vagrant

> From 5350251d24394b67c2075ece7a4af18a8a299b0a Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant at reproducible-builds.org>
> Date: Mon, 26 Jul 2021 00:05:21 +0000
> Subject: [PATCH 2/3] Remove updated timestamps from grub.texi and
>  grub-dev.texi
>
> The timestamps are embedded in the documentation at build time, which
> does not accurately reflect when the documentation was last updated,
> and obviously causes issues for reproducible builds to embed the build
> time.
>
> https://reproducible-builds.org/docs/timestamps/
> ---
>  docs/grub-dev.texi | 5 ++---
>  docs/grub.texi     | 5 ++---
>  2 files changed, 4 insertions(+), 6 deletions(-)
>
> diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
> index 635ec7231..6accaf4c8 100644
> --- a/docs/grub-dev.texi
> +++ b/docs/grub-dev.texi
> @@ -17,8 +17,7 @@
>  @finalout
>  
>  @copying
> -This developer manual is for GNU GRUB (version @value{VERSION},
> - at value{UPDATED}).
> +This developer manual is for GNU GRUB (version @value{VERSION}).
>  
>  Copyright @copyright{} 1999,2000,2001,2002,2004,2005,2006,2008,2009,2010,2011 Free Software Foundation, Inc.
>  
> @@ -40,7 +39,7 @@ Invariant Sections.
>  @titlepage
>  @sp 10
>  @title the GNU GRUB developer manual
> - at subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}.
> + at subtitle The GRand Unified Bootloader, version @value{VERSION}.
>  @author Yoshinori K. Okuji
>  @author Colin D Bennett
>  @author Vesa J??skel?inen
> diff --git a/docs/grub.texi b/docs/grub.texi
> index 25f77d342..a3dc79301 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -17,8 +17,7 @@
>  @finalout
>  
>  @copying
> -This manual is for GNU GRUB (version @value{VERSION},
> - at value{UPDATED}).
> +This manual is for GNU GRUB (version @value{VERSION}).
>  
>  Copyright @copyright{} 1999,2000,2001,2002,2004,2006,2008,2009,2010,2011,2012,2013 Free Software Foundation, Inc.
>  
> @@ -48,7 +47,7 @@ Invariant Sections.
>  @titlepage
>  @sp 10
>  @title the GNU GRUB manual
> - at subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}.
> + at subtitle The GRand Unified Bootloader, version @value{VERSION}.
>  @author Gordon Matzigkeit
>  @author Yoshinori K. Okuji
>  @author Colin Watson
> -- 
> 2.32.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260531/fb923f40/attachment.sig>

From vagrant at reproducible-builds.org  Mon Jun  1 06:30:34 2026
From: vagrant at reproducible-builds.org (Vagrant Cascadian)
Date: Sun, 31 May 2026 22:30:34 -0700
Subject: Bug#1138611: grub2: reproducible builds: debian/platform-subst uses
 non-deterministic readdir
Message-ID: <87jysix1xh.fsf@wireframe>

Source: grub2
Severity: normal
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org

The debian/platform-subst script used to generate .postinst for grub-xen
uses readdir to determine which platform to embed. The directory
ordering may not be deterministic, and can result in differences between
the resulting .postinst script. (/boot/grub/i386-xen_pvh/core.img
vs. /boot/grub/i386-xen/core.img):

  https://reproduce.debian.net/amd64/api/v1/builds/153376/artifacts/383901/diffoscope

The attached patch sorts the list of platforms before picking the first
one, so it can at least pick consistently. Perhaps there is a more
elegant way to pull this off, but I believe this ought to work. :)

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-debian-platform-subst-Use-sorted-list-of-cpu_platfor.patch
Type: text/x-diff
Size: 1778 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260531/1b03fbd9/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260531/1b03fbd9/attachment.sig>

From vagrant at reproducible-builds.org  Mon Jun  1 21:12:12 2026
From: vagrant at reproducible-builds.org (Vagrant Cascadian)
Date: Mon, 01 Jun 2026 13:12:12 -0700
Subject: Bug#1138608: grub2: reproducible builds: non-deterministic ordering
 in lintian overrides
In-Reply-To: <87pl2ax64m.fsf@wireframe>
References: <87pl2ax64m.fsf@wireframe> <87pl2ax64m.fsf@wireframe>
Message-ID: <87h5nmvx43.fsf@wireframe>

On 2026-05-31, Vagrant Cascadian wrote:
> Both grub-xen-dbg and grub-xen-bin generate their lintian overrides from
> debian/rules using find, which may return results in a non-deterministic order:
>
>   https://reproduce.debian.net/amd64/api/v1/builds/153376/artifacts/383903/diffoscope
>   https://reproduce.debian.net/amd64/api/v1/builds/153376/artifacts/383902/diffoscope
>
> The attached patch sorts each of the find calls used to generate the
> lintian overrides, which should result in a deterministic ordering... at
> least if the locale is consistent 

Missed one that did not appear to be an issue, but that might just be
due to luck (or there are not multiple?):

--- a/debian/rules
+++ b/debian/rules
@@ -452,7 +452,7 @@ install/grub-pc install/grub-efi-ia32 install/grub-efi-amd64 install/grub-efi-ar
           [ "$@" = "install/grub-xen" ]; then \
                echo "$(package_bin): binary-from-other-architecture [*.mod]" \
                        >> debian/$(package_bin)/usr/share/lintian/overrides/$(package_bin) ; \
-               cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img \
+               cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img | sort \
                        | sed -e "s%.*%$(package_bin): binary-from-other-architecture [&]%g" \
                >> $(CURDIR)/debian/$(package_bin)/usr/share/lintian/overrides/$(package_bin) ; \
        fi

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260601/adef5170/attachment.sig>

From vagrant at reproducible-builds.org  Mon Jun  1 21:34:04 2026
From: vagrant at reproducible-builds.org (Vagrant Cascadian)
Date: Mon, 01 Jun 2026 13:34:04 -0700
Subject: Bug#787795: grub2: please build rescue ISO and floppy reproducibly
In-Reply-To: <172786712080.237473.15830461843433011593.reportbug@frontier>
References: <20150605063738.31768.1551.reportbug@alice.fifthhorseman.net>
 <172786712080.237473.15830461843433011593.reportbug@frontier>
 <20150605063738.31768.1551.reportbug@alice.fifthhorseman.net>
Message-ID: <87eciqvw3n.fsf@wireframe>

On 2024-10-02, James Addison wrote:
> On Fri, 05 Jun 2015 02:37:38 -0400, Daniel wrote:
>> > However, it won't be completely reproducible until we get a newer
>> > version of xorriso in debian so that we can "-alter_date_r c" (see
>> > #787793, which blocks this bug).
>
> On Sun, 25 Jul 2021 16:19:46 -0700, Vagrant wrote:
>> Since newer versions of xorriso are now in Debian, I tried adding
>> "-alter_date_r c" to xorriso calls, but it would seem xorriso doesn't
>> support "-alter_date_r c" when used with "-as mkisofs". I'm not sure how
>> difficult it would be to convert away from using "-as mkisofs" so that
>> "-alter_date_r c" would be supportable...
>
> From inspecting the grub codebase and the commandline options to both xorriso
> and xorrisofs (aka "xorriso -as mkisofs").. although it may in theory be
> possible to convert to 'native' xorriso by migrating a lot of the command-line
> construction, I think that it might be fragile and unnecessary work, because:
>
> ...there is a '--set_all_file_dates' command-line option[1] in xorrisofs that
> seems to do what we want here.
>
> There's one other change required in grub-mkrescue alongside this in order to
> achieve reproducible builds: we need it to read from the SOURCE_DATE_EPOCH env
> var when set (currently grub-mkrescue always uses system clock time).
>
> Please find attached a patch that allows me to rebuild grub-rescue-cdrom.iso
> deterministically on my local machine when SOURCE_DATE_EPOCH is set.  I'll also
> offer this as a merge request on the Salsa repository[2].

I can confirm that this still applies for grub2 2.14-2, still is needed,
and fixes the issue. Thanks!

So that is one more known fix for grub2 reproducibility...

live well,
  vagrant

> From: James Addison <jay at jp-hosting.net>
> Date: Tue, 01 Oct 2024 22:36:39 +0100
> Subject: grub2: build rescue ISO reproducibly
>
> Extend the xorriso command-line invocation to configure a specific
> timestamp for all files during creation of Grub rescue ISO images.
>
> The timestamp to use is read from the SOURCE_DATE_EPOCH environment
> variable when it is set.
>
> Bug-Debian: https://bugs.debian.org/787795
> ---
> --- a/util/grub-mkrescue.c
> +++ b/util/grub-mkrescue.c
> @@ -576,7 +576,13 @@
>    {
>      time_t tim;
>      struct tm *tmm;
> -    tim = time (NULL);
> +    /* https://reproducible-builds.org/docs/source-date-epoch/ */
> +    char *source_date_epoch;
> +    /* This assumes that the SOURCE_DATE_EPOCH environment variable will contain
> +       a correct, positive integer in the time_t range */
> +    if ((source_date_epoch = getenv("SOURCE_DATE_EPOCH")) == NULL ||
> +        (tim = (time_t)strtoll(source_date_epoch, NULL, 10)) <= 0)
> +            time(&tim);
>      tmm = gmtime (&tim);
>      iso_uuid = xmalloc (55);
>      grub_snprintf (iso_uuid, 50,
> @@ -600,6 +606,19 @@
>      xorriso_push (uuid_out);
>      free (uuid_out);
>    }
> +  {
> +    char *uuid_out = xmalloc (strlen (iso_uuid) + 1);
> +    char *optr;
> +    const char *iptr;
> +    optr = grub_stpcpy (uuid_out, "");
> +    for (iptr = iso_uuid; *iptr; iptr++)
> +      if (*iptr != '-')
> +	*optr++ = *iptr;
> +    *optr = '\0';
> +    xorriso_push ("--set_all_file_dates");
> +    xorriso_push (uuid_out);
> +    free (uuid_out);
> +  }
>  
>    /* build BIOS core.img.  */
>    if (source_dirs[GRUB_INSTALL_PLATFORM_I386_PC])
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260601/21c8fe1c/attachment.sig>