[Reproducible-builds] reproducible build examples

Reiner Herrmann reiner at reiner-h.de
Wed Mar 30 22:57:27 UTC 2016 

Hi Christian,

On Wed, Mar 30, 2016 at 11:23:44AM +0200, Christian T. Steigies wrote:
> > > However, I have problems with the examples:
> > > 
> > > https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal#Examples
> > > 
> > > They do not seem to work for me out of the box (maybe you can provide links
> > > to real examples, you are publishing progress reports, shouldn't they make
> > > nice examplees?).
> > 
> > Indeed. That's why there's ???proposed patches??? section with links to bug
> > reports in almost each report.
> 
> I have seen one which simply removed the timestamp from the executable. I do
> not consider that as a solution, it is just a quick and dirty workaround.

I think it depends on the timestamp. In most cases they have no real
meaning/use to the user and there is no harm in removing them. So I
would say removing them where possible is actually a solution.
SOURCE_DATE_EPOCH can then be used as a "workaround" when upstream
insists on keeping timestamps or there are other reasons to keep it.

> I don't know how big of a problem this is, if it is worth the effort. But I
> think more documentation, more examples are always good. It took me a while
> to figure this out, only to realize that also the documentation is affected,
> in two different places.
> 
> The webpage was not very helpful at the beginning:
> https://tests.reproducible-builds.org/rb-pkg/unstable/amd64/gle-graphics.html
>  
> The start page mentions problems which (I though) I had fixed long ago.
> The diffoscope page (not there anymore due to FTBFS?) showed the actual
> problems. It would have been nice, however, if it would have said in big
> letters, that latex can not build reproducible PDFs since a timestamp is
> embedded.

Thanks for fixing the issue mentioned there!
We are reviewing the issues mostly manually. The note in your example
was a bit outdated. We might also not always see _all_ issues in the diff.
Sometimes it is just too large and hides other issues. Perhaps this
was the reason why the PDF issue was not mentioned in the note.
But I just updated it. :)

> So in my last try, I use faketime to generate the documentation,
> which seems to work on my system, but generates an FTBFS on the jenkins
> servers. I think it is this bug (also affects one of the buildds):
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778462
> 
> Now I m stuck, can I not use faketime to build PDFs? How should I build PDFs
> then? Or is this a bug in the testing servers and I have to wait until they
> are fixed (also the hurd-i386 buildd)?

Yes, we don't recommend the usage of faketime.
I would instead remove the first timestamp in the PDF documentation and
replace the second one with some dummy value.

> I wonder if I can test reproducibility without a full upload, only to
> realize there is another timestamp hidden somewhere.

We have a script called prebuilder, which can be used locally to build
packages twice with different variations [1] [2].
This detects already a lot of issues.

Kind regards,
  Reiner

[1] https://wiki.debian.org/ReproducibleBuilds/ExperimentalToolchain#Usage_example
[2] https://anonscm.debian.org/cgit/reproducible/misc.git/tree/prebuilder
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20160331/ac5c2301/attachment.sig>

More information about the Reproducible-builds mailing list