Debian unstable (and more) rep-bui problems (Was: Re: Rant about Debian reproducibility environment)

Steffen Nurpmeso steffen at sdaoden.eu
Wed Dec 11 17:00:24 GMT 2019 

Hello.

I first wanted to reply to a thread from debian-devel@ from March
2018, but considering

Ian Jackson wrote in <23197.34063.950604.831279 at chiark.greenend.org.uk>:
 |Steffen Nurpmeso writes ("Re: Rant about Debian reproducibility environm\
 |ent"):
 |> But despite that and the possibly correct observation that placing
 |> just about any environmental info in any non-system-dependent
 |> object you can close the issue that is my rant, but will not get
 |> away from the fact that you cannot expect exactly identical binary
 |> outcome on two different build hosts, unless the actual build
 |> environment is the same to the detail.
 |
 |This is true.  But it is why the folks promoting reproducible builds
 |have made tools which can reproduce the build environment.
 |
 |I think your implication is that the reproducibility is theoretical
 |and therefore not useful.  I appreciate why you might think that, but
 |the reproducibile builds folks have made it practically possible, so
 |it's not true.

i think this list is a better place?

I am the maintainer of a Unix mail/BSD Mail clone aka POSIX mailx
called s-nail (later s-mailx, hopefully).
Last week i was contacted by an i think ArchLinux mate who said

Jelle van der Waa wrote in <20191207105808.tzopwx7pkixsh63q at gmail.com>:
 |For Arch Linux we strive to make every package reproducible and we
 |noticed that s-nail is currently not reproducible due to the recording
 |of MAKEFLAGS in the s-nail binary by the VAL_BUILD_REST define.
 |
 |.obj/mk-config.h:#define VAL_BUILD_REST " -j100 --jobserver-auth=3,4"
 |
 |Would s-nail be open to removing the recording of MAKEFLAGS in the
 |resulting binary. The test result of building s-nail twice with a
 |different configured MAKEFLAGS can be viewed here:
 |
 |https://tests.reproducible-builds.org/archlinux/core/s-nail/s-nail-14.9.\
 |15-2-x86_64.pkg.tar.xz.html
 |
 |More information about reproducible builds. https://reproducible-builds.\
 |org/

I responded

 |Well.  Hm.  We are reproducable for many years!  For me this
 |smells like Debian messed around (again) with the definition of
 |what a reproducible build actually is, or how up-to-date their
 |builders are.  I had a short run on the Debian list last year on
 |that already [1].
 |
 |  [1] https://lists.debian.org/debian-devel/2018/03/msg00036.html
 |
 |Looking at the Debian tracker, i see that the reproducibility suns
 |disappeared on all tested platforms, but for the unstable branch
 |only.  To me this is again a misconfiguration of the test
 |builders.  I think baking MAKEFLAGS into the binary is just as
 |proper as baking in compiler command line flags, they just did not
 |think about it.
 |
 |The make command line is used for configuration options, just as
 |are ./configure arguments for other packages.  While some of them
 |are deducable by other means, some may not, or be only very hard
 |to collect whereas now a user could simply mail bugs in
 |conjunction with the output of "mailx -v -Xversion -Xx".
 |
 |And really, the Debian tests fail because they same to pass paths
 |like test1/ and test2/ (or so) into our configuration -- via make
 |command lines?  How can that be right?
 |
 ||Thanks in advance,
 |
 |I refrain from doing that, because our build system allows passing
 |prefilled INCS= and LIBS= variables etc, and we also allow
 |predefined CONFIG= to be passed, things which are _only_ tracked
 |via the make(1) command line, and which thus enters MAKEFLAGS.
 |I think reproducible-builds.org should treat make(1) flags just as
 |they do with other flags, and like i said in above thread
 |
 |  you can close the issue that is my rant, but will not get
 |  away from the fact that you cannot expect exactly identical binary
 |  outcome on two different build hosts, unless the actual build
 |  environment is the same to the detail.
 |
 |Unless the social pressure becomes unbearable to me this is a bug
 |on the Debian side.

I must admit the tone was pretty rude, i apoligise for that, as
shit happens everywhere and anytime.

So i thought the best would be to bring to your attention that the
reproducible-org build environment does currently not guarantee
reproducibility, because it does not ensure reproducible
MAKEFLAGS.  Fixing this should bring back reproducibility of this
little MUA on Debian unstable and ArchLinux.

Thanks, and Ciao from rainy Germany i wish.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Reproducible-builds mailing list