[Reproducible-builds] Result of experimenting on 172 core packages

Jérémy Bobbio lunar at debian.org
Sun Sep 21 16:54:45 UTC 2014


Andrew Ayer finished the packaging of `strip-nondeterminism` [1] a few
days ago. This was the last remaining piece to start experimenting with
the toolchain changes that were outlined during DebConf.

Using an UDD query [2], I have selected 172 core source packages.
Packages have been built two times in a row using pbuilder in a modified
sid chroot, with our custom build environment [3] installed. The process
for creating such a chroot, and the one for building and comparing
packages has been added to the wiki page [4].

Couple highlights from the results [5]:

 * 52 packages (30%) can be successfully build reproducibly. This
   includes pam and openssh.
 * 94 packages (55%) do not uses `dh`. With our current toolchain
   modifications, that means that `dh_fixmtimes` is not being called,
   which in turns mean timestamp variations in `data.tar`.
 * 18 packages (10%) cannot be rebuilt identically.

Common issues in the package that failed [6]: timestamp in Doxygen generated
documentation, timestamp in other documentation generators, and build
ids mismatch.

If you are up for it, these ones could be investigated and fixed right now!

For the packages that are not using `dh` [7], the next steps are less
clear to me.

For ones that do not uses debhelper purposedly, I believe patches could
add to `debian/rules` the same `find` command that `dh_fixmtimes` uses.

Others uses most of debhelper, so they should probably simply be updated
to use `dh`.

But some are really in between, with super complicated build processes.
`gcc` and `binutils` are going to be fun, that's for sure.

One other things that could be done now, is to patch cdbs in order to
have it call our new helper at the right time.

Other notes:

sources.debian.net was super useful to have a look at packages'
`debian/rules` without having to download the source.

`proot` is unreliable. It made the build process freeze a couple of
times while calling `dpkg-deb`. Enough so that I got fed up, and
reverted 2f4ab9cd (affecting dpkg-buildpackage) manually. `pbuilder`
always use the same build path, so it was alright to go one

Comments, feedback, and questions are all highly welcome!

 [1]: https://anonscm.debian.org/cgit/reproducible/strip-nondeterminism.git/
 [2]: https://wiki.debian.org/ReproducibleBuilds#Archive_wide_rebuilds
 [3]: https://wiki.debian.org/ReproducibleBuilds#Custom_build_environment
 [4]: https://wiki.debian.org/ReproducibleBuilds#Usage_example
 [5]: https://wiki.debian.org/ReproducibleBuilds/RebuildCore20140919
 [6]: https://wiki.debian.org/ReproducibleBuilds/RebuildCore20140919#Failing
 [7]: https://wiki.debian.org/ReproducibleBuilds/RebuildCore20140919#Not_using_.60dh.60

Lunar                                .''`. 
lunar at debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20140921/2974b3c4/attachment.sig>

More information about the Reproducible-builds mailing list