[Reproducible-builds] Fwd: reproducible builds

Jérémy Bobbio lunar at debian.org
Tue Feb 10 02:31:32 UTC 2015 

Mattia Rizzolo:
> Andreas Beckmann:
> > Curious as I was, I wanted to do a bit more extreme testing, running the
> > first pbuilder build with --twice, but that resulted in differing
> > timestamps for the debian/ directory in the .debian.tar.xz tarball
> > (possible explanation: the initial timestamp of the directory was before
> > the changelog timestamp, so it didn't get updated during the first
> > dpkg-source -b, but after the first build the directory timestamp was
> > updated (since stuff has been created and deleted), so it got reset to
> > the changelog stamp in the second dpkg-source -b)
> > maybe setting the debian/ dir mtime to the changelog stamp always?
> > (should capture most of the reproducible --twice issues)
>
> not sure about this, but your explanation makes sense.
> Anyway, we do the test with two different calls to pbuilder, where we set
> differents env variables, use unshare and the like.
> I don't think that pbuilder --twice (where the package is built twice from the
> same unpacked source) is a valuable testbed.

We have focused on making *binary* packages reproducible. I believe the
issue you are seeing is unreproducible source packages. The benefits of
the later are quite small, so I don't think anyone seriously looked into
the latter problem.

> > * in beignet I have an unreproducible .pch (precompiler header) file -
> > any hints on what could be going on here? (although I'm more interested
> > in testing the experimental respectively pending-in-git version)

Is it required?

In any cases, first thing is to understand why you get a different
Build ID in the library. The real source has been hidden by strip. The
problems might be related.

> > some remarks regarding rebuild.sh (I don't use it since it does not fit
> > my pbuilder setup, just took some ideas from it)
> > 
> > * you could use --buildresult b1/b2 and avoid copying the buildresult
> > around manually
> 
> I think the same.

I should have read pbuilder(8) more closely. Thanks!

-- 
Lunar                                .''`. 
lunar at debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150210/3850ba48/attachment.sig>

More information about the Reproducible-builds mailing list