libtool and reproducible builds

Helmut Grohne helmut at subdivi.de
Fri Jan 11 16:26:44 GMT 2019 

Hi Bill,

On Tue, Jan 08, 2019 at 12:49:11PM +0100, Bill Allombert wrote:
> I found a reproducibility issue with packages that ships a libtool
> script which differ whether multiarch is enabled or not.

That's interesting indeed. I was aware that libtool was unreproducible
in cross builds vs. native builds. Naturally, cross builds do enable
multiarch, but thus far I couldn't attribute it to enabling multiarch.
Thank you.

> The script includes a line like
> 
>   # Detected run-time system search path for libraries.
>   sys_lib_dlsearch_path_spec="/lib /usr/lib /usr/lib/x86_64-linux-gnu/libfakeroot /usr/local/lib /usr/local/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu "

I think that's actually fine, due to the way libtool is used.  You
generate one for each build. It's only a temporary thing that is deleted
at the end of the build.

The more interesting question here is: How does that leak into your
.deb?

> -sys_lib_dlsearch_path_spec="/lib /usr/lib
> /usr/lib/x86_64-linux-gnu/libfakeroot /usr/local/lib
> /usr/local/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu
> /usr/lib/x86_64-linux-gnu /lib32 /usr/lib32
> "
> +sys_lib_dlsearch_path_spec="/lib /usr/lib
> /usr/lib/x86_64-linux-gnu/libfakeroot /usr/local/lib
> /usr/local/lib/x86_64-linux-gnu /lib/x86_64-linux-gnu
> /usr/lib/x86_64-linux-gnu "

This is not a multiarch leak, but a multilib leak. /lib32 and /usr/lib32
are quite certainly never involved with multiarch. Very likely, you
installed libc6-i386 here.

Furthermore, we see a fakeroot path here. Your build will also be
unreproducible wrt. additionally installing e.g. libfakechroot. Or not
installing fakeroot (for a Rules-Requires-Root: no package).

Here the question is: How much reproducibility do we want? Is installing
or removing extra packages something we want to test? That could become
quite messy rather quickly.

> I do not know how to fix that.
> 
> However reproducible-builds.org could try to detect this (by enabling
> multiarch in one build).

I think an even better way to detect this is:

echo /your/build/is/not/reproducible >/etc/ld.so.conf.d/reprodcuible-canary.conf

Before delving into the question how to fix this, I'm interested in
learning how this leaks from libtool into packages. I'd prefer if you
have multiple examples to draw conclusions from.

Please Cc me, if you want me to reply as I'm not reading the list.

Helmut

More information about the Reproducible-builds mailing list