Empty build-id to make package reproducible

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Aug 31 17:27:31 BST 2018

Hi Otto--

On Fri 2018-08-31 09:44:18 +0300, Otto Kekäläinen wrote:
> pe 31. elok. 2018 klo 0.46 Daniel Kahn Gillmor (dkg at fifthhorseman.net)
> kirjoitti:
> ..
>> does this mean that galera-3 debugging symbols won't be easily findable?
> Perhaps, but we decided that responsibility is important and the
> package should pass the new CI pipeline we set up at
> https://salsa.debian.org/mariadb-team/galera-3/pipelines/15700
> Note that this still just a commit on sitting on the master branch,
> and it hasn't yet been uploaded anywhere and this might not be the
> final solution.

I'm not sure what you mean by "responsibility" here.  Do you mean
"reproducibility"?  I agree that reproducibility is important!  thanks
for setting up this pipeline and pointing to it.  I'll look into how to
do that for other debian packages. :)

That said, my experience with the build-id is that it becomes
reproducible once everything else in the package is reproducible -- so
it's typically a symptom of some other unreproducibility.

If that's not the case for galera-3, that's an interesting outcome, and
one that suggests that either (a) there is some other non-reproducible
thing that the build process repairs *after* build-id is generated, or
(b) my mental model of how the build-id is created is wrong.

Do you know which one it is?  if it's (a), can you point to any details?

>> then again, the debugging symbols for galera-3 look like they're being
>> generated in a way that is pretty out-of-date, and hasn't been touched
>> in at least 3 years, so maybe the maintainers don't care about these
>> symbols very much:
>>    https://salsa.debian.org/mariadb-team/galera-3/blame/master/debian/rules#L51
> This package is actively maintained and everything should be up to
> date. If you are an expert on debug package rules stanzas, we are
> happy to take any suggestions (or merge requests on Salsa) to make
> that section not so "pretty out-of-date".

i'm not an expert on this stuff either, but i think the the changeover
should be pretty simple.  I've just filed an (untested) changeset as a
merge request here:


My knowledge of debug symbols in debian derives in large part from the
Debian wiki:


Thanks very much for your active work maintaining this project in
debian, and for your attention to reproducibility!

All the best,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20180831/1eb15958/attachment.sig>

More information about the Reproducible-builds mailing list