Differences between revisions 3 and 4
Revision 3 as of 2015-01-05 17:06:41
Size: 4598
Editor: Lunar
Comment: formatting
Revision 4 as of 2015-01-05 22:58:17
Size: 5430
Editor: Lunar
Comment: enhance bug reporting documentation
Deletions are marked like this. Additions are marked like this.
Line 23: Line 23:
= Reported bugs = = How to report bugs =
Line 29: Line 29:
All bugs relevant to the reproducible builds project should use [[bugs.debian.org/usertags|usertags]] with user `reproducible-builds@lists.alioth.debian.org`. All bugs relevant to the reproducible builds project should use [[bugs.debian.org/usertags|usertags]] with user `reproducible-builds@lists.alioth.debian.org`. Also use `X-Debbugs-Cc` to notify the list.
Line 46: Line 46:

Example email to submit a patch:

{{{
From: J. Random Hacker <jrhacker@example.org>
To: submit@bugs.debian.org
Subject: foo: please make the build reproducible
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Source: foo
Version: 1.0-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps fileordering

Hi!

While working on the “reproducible builds” effort [1], we have noticed
that foo could not be built reproducibly.

The attached patch removes extra timestamps from the build system and
ensure a stable file order when creating the source archive. Once applied,
foo can be built reproducibly in our current experimental framework.

 [1]: https://wiki.debian.org/ReproducibleBuilds
}}}

Stay in touch

Useful things you (yes, you!) can do

  • If you maintain a package for debian, you can make sure that your package uses a modern debhelper style (e.g. one-liner debian/rules with overrides as needed). We aim to fix many causes of non-deterministic builds in the debhelper suite directly, so packages that use debhelper will be much easier to make reproducible with just an upgrade of the toolchain.

  • Look at the last 24h of results from Jenkins reproducible jobs, pick a package, look at the debbindiff output and investigate.

  • Find a way to prevent javadoc from writing timestamps.
  • Find a way to prevent Epydoc from writing timestamps and output links in filesystem order.
  • Find a way to get reproducible PE binaries.
  • Create a patch for pbuilder to build packages in /usr/src/debian/hello-2.8-1 instead of /tmp/buildd.

  • Research about other distributions: NixOS, SUSE (see build-compare), then write about it on your blog and link to it on this wiki page.

  • make the perl package build entirely without calling perl at all

If you want to help with this, feel free to ping the mailing list or edit this wiki page.

How to report bugs

All bugs relevant to the reproducible builds project should use usertags with user reproducible-builds@lists.alioth.debian.org. Also use X-Debbugs-Cc to notify the list.

Current usertags in use:

toolchain
affects a tool used by other package build systems
infrastructure
affects the whole Debian infrastructure or policies
timestamps
time of build in recorded during the build process
fileordering
build output varies with readdir() order
buildpath
path of sources is recorded during the build process
username
username is recorded during the build process
hostname
hostname is recorded during the build process
uname
uname output is recorded during the build process
randomness
some build aspects are dependent on (pseudo-)randomness
cpu
some build aspects are dependent on CPU features or computation speed
buildinfo
issues related to .buildinfo control files

?Control commands to update the view on the BTS.

Example email to submit a patch:

From: J. Random Hacker <jrhacker@example.org>
To: submit@bugs.debian.org
Subject: foo: please make the build reproducible
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Source: foo
Version: 1.0-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps fileordering

Hi!

While working on the “reproducible builds” effort [1], we have noticed
that foo could not be built reproducibly.

The attached patch removes extra timestamps from the build system and
ensure a stable file order when creating the source archive. Once applied,
foo can be built reproducibly in our current experimental framework.

 [1]: https://wiki.debian.org/ReproducibleBuilds

Reproducible builds automated on jenkins.d.n

Several jobs have been created to regularily test packages (from sid main) on jenkins.d.n. As a result there is the reproducible build overview of packages, which eventually will have results for all >21k sources packages in Debian.

The setup is explained in this blog post only, but this post is somewhat outdated by now and needs to be amended.

bash script to analyze images

Deterministic images (raw images, qcow2 images, iso's) are the next logical evolution. There is a analyze_image bash script that creates sha512 hashes of all files included within an image, access rights, symlinks, parition table, bootloader and more. Doing this with two images that should match and comparing the reports the script creates can help to identify sources of non-determinism in images.

See also:

Does not have iso support yet. The autor (Patrick Schleizer) is interested to generalize the script for more generic, Debian use cases.