Bug#992722: nbdkit: non-reproducible build: CFLAGS are recorded in built binary
Simon McVittie
smcv at debian.org
Sun Aug 22 18:17:45 BST 2021
Source: nbdkit
Version: 1.26.5-1
Severity: normal
Tags: patch
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
User: reproducible-builds at lists.alioth.debian.org
Usertags: buildpath
The C compiler plugin nbdkit-cc-plugin.so in the nbdkit package records
the CFLAGS that it was built with, presumably so that it can pass them on
to objects that it is used to compile.
Unfortunately, the default CFLAGS from dpkg-buildflags include the build
path, which means this prevents the build from being reproducible (a
Policy §4.15 "should"). From a diffoscope comparison between two
consecutive builds using sbuild, for example:
│ │ │ ├── ./usr/lib/x86_64-linux-gnu/nbdkit/plugins/nbdkit-cc-plugin.so
...
│ │ │ │ ├── strings --all --bytes=8 {}
...
│ │ │ │ │ --g -O2 -ffile-prefix-map=/build/nbdkit-arafYk/nbdkit-1.26.5=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -shared
│ │ │ │ │ +-g -O2 -ffile-prefix-map=/build/nbdkit-icZkey/nbdkit-1.26.5=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -shared
After fixing #992702, this seems like it might be the only source of
non-reproducibility in the package, so if you're willing to apply a
(probably Debian-specific) patch to avoid it, the package is likely to
become fully reproducible. Please see attached for a possible implementation.
Alternatively, if the CFLAGS from building nbdkit itself are not actually
needed when building third-party code using the cc plugin, then it might
be OK to just pass -DCFLAGS="\"-fPIC -shared\"" and omit $(CFLAGS) altogether?
But I don't know this package (I don't use it myself) so there might be
a reason I'm unaware of why that would be undesirable.
See also #985553, which would avoid the need to apply this patch if
implemented.
Thanks,
smcv
More information about the Reproducible-bugs
mailing list