On 8/29/18 4:23 PM, Jelle van der Waa wrote:
Most of our PKGBUILDs svn propset's break reproducible builds and the pkgbuild_sha256sum in the BUILDINFO file. When building a package before commiting the PKGBUILD the propset $Id will differ since the $Id is set on commit.
This has a few implications, pkgbuild_sha256sum is useless and we can't reproduce packages due to the BUILDINFO not matching. Also the reproduce tool uses ASP to retrieve the PKGBUILD and therefore can't verify that it got the correct PKGBUILD (it relies on pkgbuild_sha256sum).
To resolve this issue we could simply remove the propset id's, since for me, although not sure about others they don't seem particulary useful.
I've never been entirely clear on their motivating purpose, in fact. Also to expand on the general issue for people who aren't in #archlinux-reproducible: When you run extra-x86_64-build, you're using the PKGBUILD you're about to commit, which svn will set to the expanded propset of the previous commit... which matches no file ever seen by svn. If you svn commit, and *then* extra-x86_64-build, then svn will actually have the right file. What's the likelihood of people making sure to svn commit before making sure the package actually builds as expected... IIRC at least some packages seem to have been built by the svntogit exported PKGBUILD (e.g. via asp) since their pkgbuild_sha256sum can be obtained from asp. This results in far too many ways to maybe get the actual file used to build, and in the most likely scenario it requires deep forensics of the svn repository. ... svn propsets will die either way whenever we finally manage to migrate away from svn and onto git. -- Eli Schwartz Bug Wrangler and Trusted User