Empty build-id to make package reproducible

Mattia Rizzolo mattia at debian.org
Sat Sep 1 22:24:55 BST 2018 

On Sun, Sep 02, 2018 at 12:15:57AM +0300, Otto Kekäläinen wrote:
> First we fixed what r-b infra showed in diffoscope as the culprit,
> then we fixed what reprotest showed as the failure on Salsa-CI. None
> of the fixes were uploaded and now all of a sudden r-b pass..

Oh, that's annoying.  And alas hard to figure now unless you just so
happen to have the .buildinfo of some unreproducible builds :|

> > As a datapoint, the package is reproducible in our infra.
> 
> Apparently it now is..
> 2018-08-22 23:50 25.3.23-1 unstable amd64 reproducible
> 
> .. but it was not in unstable at the time we were investigating this
> and trying to fix it:
> 2018-07-05 21:09 25.3.23-1 unstable amd64 unreproducible unreproducible
> 
> (from https://tests.reproducible-builds.org/debian/history/galera-3.html)
> 
> It seems we were trying to fix in the package an issue that was after
> all in the r-b infra.

I hadn't looked at the history before.  Looking at it now it seems like
it was costantly unreproducible in unstable, and the first reproducible
built happened on 2018-08-12.  That would be somewhat consistent with
the change we did following the gcc-7→gcc-8 default change, where we
instructed gcc to inject a new build flag -ffile-prefix-map to fix
unreproducibilities caused by __FILE__ and assert() (that before should
have been still fixed by our patched gcc-7 though, so I wouldn't know
why it was unreproducible before without more data).

> > I see dkg submitted a change, https://salsa.debian.org/mariadb-team/galera-3/commit/853d8dc20dbf67e9d8ac76668098a6b3560ab786
> > however, I wonder if that actually works with --build-id=none, given
> > that the debug symbols are placed next to the build-id?  (not sure,
> > maybe there is a fallback, I haven't actually checked).
> 
> Well, as the package is now reproducible on r-b infra without any
> changes, I'll revert these experiments we did that are in git but
> never uploaded.

I recommend so, yes.  disabling the build id is something that I've
never seen done anywhere, and I wouldn't be confidend nothing will
notice…  To me it seems something that random tools could take as a
given.
And as dkg said, I would find it better to figure what causes it to
vary, rather than hide it :)

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20180901/e2e94fb8/attachment.sig>

More information about the Reproducible-builds mailing list