Bug#992722: nbdkit: non-reproducible build: CFLAGS are recorded in built binary

[Simon McVittie]

Source: nbdkit
Version: 1.26.5-1
Severity: normal
Tags: patch
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
User: reproducible-builds at lists.alioth.debian.org
Usertags: buildpath

The C compiler plugin nbdkit-cc-plugin.so in the nbdkit package records
the CFLAGS that it was built with, presumably so that it can pass them on
to objects that it is used to compile.

Unfortunately, the default CFLAGS from dpkg-buildflags include the build
path, which means this prevents the build from being reproducible (a
Policy §4.15 "should"). From a diffoscope comparison between two
consecutive builds using sbuild, for example:

│ │ │ ├── ./usr/lib/x86_64-linux-gnu/nbdkit/plugins/nbdkit-cc-plugin.so
...
│ │ │ │ ├── strings --all --bytes=8 {}
...
│ │ │ │ │ --g -O2 -ffile-prefix-map=/build/nbdkit-arafYk/nbdkit-1.26.5=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -shared
│ │ │ │ │ +-g -O2 -ffile-prefix-map=/build/nbdkit-icZkey/nbdkit-1.26.5=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -shared

After fixing #992702, this seems like it might be the only source of
non-reproducibility in the package, so if you're willing to apply a
(probably Debian-specific) patch to avoid it, the package is likely to
become fully reproducible. Please see attached for a possible implementation.

Alternatively, if the CFLAGS from building nbdkit itself are not actually
needed when building third-party code using the cc plugin, then it might
be OK to just pass -DCFLAGS="\"-fPIC -shared\"" and omit $(CFLAGS) altogether?
But I don't know this package (I don't use it myself) so there might be
a reason I'm unaware of why that would be undesirable.

See also #985553, which would avoid the need to apply this patch if
implemented.

Thanks,
    smcv