[arch-dev-public] Reproducible builds
Allan McRae
allan at archlinux.org
Sat Aug 8 12:45:49 UTC 2015
Hi all,
You might have read about Debian and Fedora (and others?) looking at
having all their builds reproducible - as in, everything will be exactly
the same if you rebuild the package:
https://wiki.debian.org/ReproducibleBuilds
https://securityblog.redhat.com/2013/09/18/reproducible-builds-for-fedora/
A bunch of people have approached me about this for Arch (I think there
is a bug report too). My general opinion is that it will be very
difficult due to the rolling release nature of Arch. Updating the
toolchain, libraries, ..., all make this difficult. There is potential
to regenerate the build environment to work around this, but that is
another story.
I made a small tool to build a package twice and compare the output
(md5sum). I ran that over [core]. Here is a summary of the results:
Failed to build:
FAIL: acl - build failed
FAIL: attr - build failed
FAIL: binutils - build failed
FAIL: glibc - build failed
FAIL: grub - build failed
FAIL: iptables - build failed
FAIL: ipw2100-fw - build failed
FAIL: ipw2200-fw - build failed
FAIL: isdn4k-utils - build failed
FAIL: ldns - build failed
FAIL: libpcap - build failed
FAIL: lvm2 - build failed
FAIL: mkinitcpio - build failed
FAIL: openvpn - build failed
FAIL: perl - build failed
FAIL: pth - build failed
FAIL: syslinux - build failed
FAIL: reiserfsprogs - build failed
(not sure about binutils and glibc... I built these two days ago! So
there potential false positives among these.)
Builds are not reproducible:
FAIL: bison - not reproducible
b2/usr/lib/liby.a: FAILED
FAIL: dbus - not reproducible
b2/usr/share/doc/dbus/dbus-test-plan.html: FAILED
b2/usr/share/doc/dbus/dbus-specification.html: FAILED
b2/usr/share/doc/dbus/dbus-faq.html: FAILED
FAIL: dnssec-anchors - not reproducible
b2/etc/trusted-key.key: FAILED
FAIL: e2fsprogs - not reproducible
b2/usr/share/info/libext2fs.info.gz: FAILED
FAIL: gcc - not reproducible
b2/usr/lib/libgolibbegin.a: FAILED
b2/usr/lib/libstdc++.a: FAILED
b2/usr/lib/libnetgo.a: FAILED
b2/usr/lib/libgobegin.a: FAILED
b2/usr/lib/libsupc++.a: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/libcaf_single.a: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/libgcc.a: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/cc1plus: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/cc1objplus: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/libgfortranbegin.a: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/cc1obj: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/libgcc_eh.a: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/libgcov.a: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/adalib/g-sercom.ali: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/adalib/s-stusta.ali: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/adalib/a-rttiev.ali: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/adalib/s-tposen.ali: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/adalib/s-taasde.ali: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/adalib/a-sytaco.ali: FAILED
<snip>
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/adalib/s-tarest.ali: FAILED
b2/usr/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/cc1: FAILED
b2/usr/lib/libiberty.a: FAILED
FAIL: gdbm - not reproducible
b2/usr/lib/libgdbm.so.4.0.0: FAILED
FAIL: glib2 - not reproducible
b2/usr/share/glib-2.0/codegen/codegen_main.pyo: FAILED
b2/usr/share/glib-2.0/codegen/__init__.pyo: FAILED
b2/usr/share/glib-2.0/codegen/codegen.pyc: FAILED
b2/usr/share/glib-2.0/codegen/config.pyo: FAILED
b2/usr/share/glib-2.0/codegen/codegen_main.pyc: FAILED
b2/usr/share/glib-2.0/codegen/parser.pyo: FAILED
b2/usr/share/glib-2.0/codegen/codegen_docbook.pyc: FAILED
b2/usr/share/glib-2.0/codegen/dbustypes.pyo: FAILED
b2/usr/share/glib-2.0/codegen/config.pyc: FAILED
b2/usr/share/glib-2.0/codegen/utils.pyc: FAILED
b2/usr/share/glib-2.0/codegen/utils.pyo: FAILED
b2/usr/share/glib-2.0/codegen/__init__.pyc: FAILED
b2/usr/share/glib-2.0/codegen/codegen_docbook.pyo: FAILED
b2/usr/share/glib-2.0/codegen/codegen.pyo: FAILED
b2/usr/share/glib-2.0/codegen/parser.pyc: FAILED
b2/usr/share/glib-2.0/codegen/dbustypes.pyc: FAILED
FAIL: gnutls - not reproducible
b2/usr/share/man/man1/ocsptool.1.gz: FAILED
b2/usr/share/man/man1/gnutls-cli.1.gz: FAILED
b2/usr/share/man/man1/gnutls-cli-debug.1.gz: FAILED
b2/usr/share/man/man1/tpmtool.1.gz: FAILED
b2/usr/share/man/man1/p11tool.1.gz: FAILED
b2/usr/share/man/man1/srptool.1.gz: FAILED
b2/usr/share/man/man1/gnutls-serv.1.gz: FAILED
<snip>
b2/usr/share/man/man3/gnutls_ocsp_resp_get_extension.3.gz: FAILED
b2/usr/share/info/gnutls.info-2.gz: FAILED
b2/usr/share/info/gnutls-guile.info.gz: FAILED
b2/usr/share/info/gnutls.info-3.gz: FAILED
b2/usr/share/info/gnutls.info-4.gz: FAILED
b2/usr/share/info/gnutls.info-1.gz: FAILED
b2/usr/share/info/gnutls.info-6.gz: FAILED
b2/usr/share/info/gnutls.info-5.gz: FAILED
b2/usr/share/info/gnutls.info.gz: FAILED
FAIL: iproute2 - not reproducible
b2/usr/lib/libnetlink.a: FAILED
FAIL: links - not reproducible
b2/usr/bin/links: FAILED
b2/usr/bin/xlinks: FAILED
FAIL: linux - not reproducible
b2/usr/lib/modules/4.1.4-1-ARCH/build/include/generated/compile.h: FAILED
b2/usr/lib/modules/4.1.4-1-ARCH/build/vmlinux: FAILED
b2/boot/vmlinuz-linux: FAILED
FAIL: linux-lts - not reproducible
b2/usr/lib/modules/3.14.49-1-lts/build/include/generated/compile.h: FAILED
b2/usr/lib/modules/3.14.49-1-lts/build/vmlinux: FAILED
b2/usr/lib/modules/3.14.49-1-lts/kernel/security/keys/trusted.ko.gz: FAILED
b2/usr/lib/modules/3.14.49-1-lts/kernel/security/keys/encrypted-keys/encrypted-keys.ko.gz:
FAILED
b2/usr/lib/modules/3.14.49-1-lts/kernel/net/xfrm/xfrm_algo.ko.gz: FAILED
b2/usr/lib/modules/3.14.49-1-lts/kernel/net/xfrm/xfrm_user.ko.gz: FAILED
b2/usr/lib/modules/3.14.49-1-lts/kernel/net/xfrm/xfrm_ipcomp.ko.gz: FAILED
b2/usr/lib/modules/3.14.49-1-lts/kernel/net/packet/af_packet_diag.ko.gz:
FAILED
b2/usr/lib/modules/3.14.49-1-lts/kernel/net/core/netprio_cgroup.ko.gz:
FAILED
<snip>
b2/usr/lib/modules/3.14.49-1-lts/kernel/kernel/trace/ring_buffer_benchmark.ko.gz:
FAILED
b2/boot/vmlinuz-linux-lts: FAILED
FAIL: man-db - not reproducible
b2/usr/share/doc/man-db/man-db-manual.ps: FAILED
FAIL: mkinitcpio-busybox - not reproducible
b2/usr/lib/initcpio/busybox: FAILED
FAIL: nspr - not reproducible
b2/usr/lib/libnspr4.so: FAILED
b2/usr/lib/libplc4.so: FAILED
b2/usr/lib/libplds4.so: FAILED
FAIL: nss - not reproducible
b2/usr/lib/libnss3.so: FAILED
b2/usr/lib/libsoftokn3.so: FAILED
b2/usr/lib/libfreebl3.chk: FAILED
b2/usr/lib/libnssdbm3.chk: FAILED
b2/usr/lib/libcrmf.a: FAILED
b2/usr/lib/libsoftokn3.chk: FAILED
b2/usr/lib/libssl3.so: FAILED
b2/usr/lib/libfreebl3.so: FAILED
b2/usr/lib/libsmime3.so: FAILED
FAIL: openldap - not reproducible
b2/usr/lib/slapd: FAILED
b2/usr/bin/ldapmodrdn: FAILED
b2/usr/bin/ldapexop: FAILED
b2/usr/bin/ldapcompare: FAILED
b2/usr/bin/ldapdelete: FAILED
b2/usr/bin/ldappasswd: FAILED
b2/usr/bin/ldapsearch: FAILED
b2/usr/bin/ldapwhoami: FAILED
b2/usr/bin/ldapmodify: FAILED
b2/usr/bin/ldapurl: FAILED
FAIL: readline - not reproducible
b2/usr/lib/libreadline.so.6.3: FAILED
FAIL: sudo - not reproducible
b2/usr/bin/visudo: FAILED
FAIL: systemd - not reproducible
b2/usr/lib/debug/usr/lib/systemd/systemd-timesyncd.debug: FAILED
b2/usr/lib/systemd/systemd-timesyncd: FAILED
b2/usr/share/polkit-1/actions/org.freedesktop.login1.policy: FAILED
b2/usr/share/polkit-1/actions/org.freedesktop.import1.policy: FAILED
FAIL: util-linux - not reproducible
b2/usr/lib/python3.4/site-packages/libmount/__pycache__/__init__.cpython-34.pyc:
FAILED
b2/usr/lib/python3.4/site-packages/libmount/__pycache__/__init__.cpython-34.pyo:
FAILED
FAIL: zlib - not reproducible
b2/usr/lib/libz.a: FAILED
Most of these look like timestamp issues (static libraries have a
timestamp, documentation generated with tools that leave a timestamp,
etc). Some confuse me... I have not investigated them all.
Anyway, this is more of a discussion point rather than something I see
we should be perusing. We don't have the resources that either Debian
or Fedora do, and hopefully their efforts head upstream. However, I am
not going to object if a community group wants to take this and see if
they can improve the situation.
Allan
More information about the arch-dev-public
mailing list