[Reproducible-builds] Wrong reproducibility reported for libdevel-cover-perl? (i.e. I suspect a false negative)

Mattia Rizzolo mattia at debian.org
Fri Apr 22 09:43:42 UTC 2016 

On Thu, Apr 21, 2016 at 11:34:14PM +0100, Dominic Hargreaves wrote:
> On Thu, Apr 21, 2016 at 11:30:19PM +0200, Axel Beckert wrote:
> > So either there is an according bug somewhere in diffoscope (which I
> > doubt :-) for a very long time or we should also make the second build
> > differ in the build directory name to catch such issues.
> > 
> > In case the latter is already done, I'm out of ideas why that package
> > counts as reproducibly buildable.
> 
> The build path is part of the specification for the overall environment,
> if I'm not mistaken - so the build is allowed to vary with changes to it.
> 
> https://wiki.debian.org/ReproducibleBuilds/Howto
> 
> I suppose embedding build paths is too widespread to make eliminating
> that feasible, and making the build path the same is easy enough?

The build path is encodeded inside ELF binaries (in some debug fields,
iirc), so we can't really change it between builds, or otherwise every
compiled thing would be unreproducible.
There is work going on to be able to avoid having that data included in
the binary at all, but that is requiring changes in gcc (dkg is taking
care of this bit).

For some history on why we gave up on this see
https://wiki.debian.org/ReproducibleBuilds/History#Giving_up_on_build_paths
(that would need to be updated to match the current WIP, though).


So, yes, we are not varying the build path, and we're aware of it :)

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20160422/f956d38f/attachment.sig>

More information about the Reproducible-builds mailing list