Differences between revisions 26 and 27
Revision 26 as of 2015-01-21 08:35:47
Size: 12197
Editor: Lunar
Comment: minor rewording
Revision 27 as of 2015-01-22 16:58:59
Size: 12309
Editor: Lunar
Comment: mention the binNMU .dsc issue
Deletions are marked like this. Additions are marked like this.
Line 28: Line 28:
 * Hack binNMU infrastructure (dak?) so .dsc for binNMUs are kept in the archive instead of being thrown away.

Stay in touch

Task suggestions

To get help, feel free to ask on the IRC channel or the mailing list. We want to be friendly, supportive, and have fun experimenting together.

How to report bugs

All bugs relevant to the reproducible builds project should use usertags with user reproducible-builds@lists.alioth.debian.org. Also use X-Debbugs-Cc to notify the list.

Current usertags in use:

toolchain
affects a tool used by other package build systems
infrastructure
affects the whole Debian infrastructure or policies
timestamps
time of build in recorded during the build process
fileordering
build output varies with readdir() order
buildpath
path of sources is recorded during the build process
username
username is recorded during the build process
hostname
hostname is recorded during the build process
uname
uname output is recorded during the build process
randomness
some build aspects are dependent on (pseudo-)randomness
cpu
some build aspects are dependent on CPU features or computation speed
buildinfo
issues related to .buildinfo control files

?Control commands to update the view on the BTS.

Example email to submit a patch:

From: J. Random Hacker <jrhacker@example.org>
To: submit@bugs.debian.org
Subject: foo: please make the build reproducible
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Source: foo
Version: 1.0-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps fileordering

Hi!

While working on the “reproducible builds” effort [1], we have noticed
that foo could not be built reproducibly.

The attached patch removes extra timestamps from the build system and
ensure a stable file order when creating the source archive. Once applied,
foo can be built reproducibly in our current experimental framework.

 [1]: https://wiki.debian.org/ReproducibleBuilds

Inventorying issues

The easiest way to find issues is to examine the list of packages failing to build reproducibly as found by continuous integration. The first packages in the list are the one who have been tried most recently.

Notes about packages are kept in the notes Git repository in packages.yml. The list of known common issues is kept in the issues.yml file.

The page for a given package should open on the debbindiff output. Read the list of known issues to get an idea of what you may found. Here are some more advices:

The clean-notes script in the misc repository will detect outdated notes and re-order packages by alphabetical order. It should be run before committing changes to the notes repository.

Fixing issues

Fixing reproducibility issues falls into two categories: either the problem is specific to a single package or the cause is the output of another package (then referenced as “toolchain” package).

Fixing a single package

The usual steps are:

  1. Use debcheckout or apt-get source to retrieve the source code.

  2. Do the changes. With packages using the 3.0 (quilt) format, dpkg-source --commit can be useful.

  3. Update debian/changelog. New version is usually original version with .0~reproducible1.

  4. Use dpkg-buildpackage -S to create source package.

  5. Use the prebuilder script to test reproducibility. If the package is not reproducible, examine debbindiff output logs/PACKAGE.debbindiff.html or compare build logs logs/PACKAGE.build1 and logs/PACKAGE.build2, then repeat from step 2 unless the issue comes from another package. In that case, see about “toolchain” packages below.

  6. Use debdiff or git format-patch to create patches.

  7. ?Create a new bug report, and don't forget to attach the patch!

  8. Add an entry or reference the bug in packages.yml in notes.git.

Fixing a toolchain package

Fixing an issue in a package that affects the reproducibility of other packages requires some more steps, but the general process is the same:

  1. Use debcheckout or apt-get source to retrieve the source code.

  2. Do the changes. With packages using the 3.0 (quilt) format, dpkg-source --commit can be useful.

  3. Update debian/changelog. New version is usually original version with .0~reproducible1.

  4. Use pdebuild or gbp buildpackage to build the package.

  5. Backup base-reproducible.tgz.

  6. Use pbuilder --login --save-after-exec --basetgz base-reproducible.tgz to install the newly built package.

  7. Test a package affected with prebuilder. If the issue is still not fixed, repeat from step 2.

  8. If the package is in Git, use SSH to login on alioth.debian.org. Go to /git/reproducible. Use ./setup-repository to create a new repository. Push your changes to a (rebasable) pu/reproducible_builds branch.

  9. Subscribe to the upload-source notification for the package on the Package Tracking System. This is needed so you don't forget to update the custom package when a new version hits the archive.

  10. Upload the package to the reproducible APT repository.

  11. Document the changes on the wiki.

  12. Reference the bug in issues.yml in notes.git and on the wiki page about the issue if there's one.

  13. Ask h01ger to reschedule affected packages. (Usually via the #debian-reproducible IRC channel, sometimes he might ask for emails instead. In theory we could also allow signed gpg mails to trigger that but so far manual rescheduling on demand has proven to work well.) One way to look them up: grep-dctrl -n -sPackage -FBuild-Depends $SOURCE_PACKAGE /var/lib/apt/lists/*Sources | sort -u

  14. If the changes don't break anything, ?create a new bug report. Don't forget to attach patches and to use the toolchain usertag.

Working on the continuous integration platform

Several jobs have been created to regularly test packages (from sid main) on jenkins.debian.net. As a result there is the reproducible build overview of packages.

The setup is explained in this blog post only, but this post is somewhat outdated by now and needs to be amended.

See the various reproducible_* scripts in the Jenkins Git repository.

Working on installation media or live systems

Having installation and live systems which can be built reproducibly would also be great. There is an analyze_image bash script that creates sha512 hashes of all files included within an image, access rights, symlinks, parition table, bootloader and more. Doing this with two images that should match and comparing the reports the script creates can help to identify sources of non-determinism in images.

See also:

Does not have iso support yet. The autor (Patrick Schleizer) is interested to generalize the script for more generic, Debian use cases.