12041
Comment: add a usertag for recording the environment
|
12087
|
Deletions are marked like this. | Additions are marked like this. |
Line 54: | Line 54: |
umask:: permissions depend on current umask |
Contents
Stay in touch
Subscribe to the reproducible-builds@lists.alioth.debian.org mailing list.
Join the #debian-reproducible IRC channel on OFTC.
Add ReproducibleBuilds.* to your wiki notifications.
Subscribe to commit notifications.
Task suggestions
If you maintain a package for Debian, you can make sure that your package uses a modern debhelper style (e.g. one-liner debian/rules with overrides as needed). We aim to fix many causes of non-deterministic builds in the debhelper suite directly, so packages that use debhelper will be much easier to make reproducible with just an upgrade of the toolchain.
?Inventory issues found by the continuous integration platform.
?Fix known reproducibility issues. Bonus point for finding ways to:
Create a patch for pbuilder to build packages in /usr/src/debian/hello-2.8-1 instead of /tmp/buildd.
Hack dak to add support for .buildinfo.
Research how to run rebuilds on buildds.
- Research on how change dak to only accept packages after multiple maching builds.
- Hack binNMU infrastructure (dak?) so .dsc for binNMUs are kept in the archive instead of being thrown away.
- Patch the continuous integration scripts to declare different locales for the first build and the subsequent rebuild.
Research about other distributions: NixOS, SUSE (see build-compare), then write about it on a blog, this wiki or the mailing list.
Write a tool to show locally installed packages which don't build reproducible yet: compare reproducible.json against dpkg -l.
To get help, feel free to ask on the IRC channel or the mailing list. We want to be friendly, supportive, and have fun experimenting together.
How to report bugs
All bugs relevant to the reproducible builds project should use usertags with user reproducible-builds@lists.alioth.debian.org. Also use X-Debbugs-Cc to notify the list.
Current usertags in use:
- toolchain
- affects a tool used by other package build systems
- infrastructure
- affects the whole Debian infrastructure or policies
- timestamps
- time of build in recorded during the build process
- fileordering
- build output varies with readdir() order
- buildpath
- path of sources is recorded during the build process
- username
- username is recorded during the build process
- hostname
- hostname is recorded during the build process
- uname
- uname output is recorded during the build process
- environment
- environment variables are recorded during the build process
- randomness
- some build aspects are dependent on (pseudo-)randomness
- cpu
- some build aspects are dependent on CPU features or computation speed
- signatures
- uses a cryptographic signatures as part of the build process
- umask
- permissions depend on current umask
- buildinfo
- issues related to .buildinfo control files
Control commands to update the view on the BTS.
Example email to submit a patch:
From: J. Random Hacker <jrhacker@example.org> To: submit@bugs.debian.org Subject: foo: please make the build reproducible X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org Source: foo Version: 1.0-1 Severity: wishlist Tags: patch User: reproducible-builds@lists.alioth.debian.org Usertags: timestamps fileordering Hi! While working on the “reproducible builds” effort [1], we have noticed that foo could not be built reproducibly. The attached patch removes extra timestamps from the build system and ensure a stable file order when creating the source archive. Once applied, foo can be built reproducibly in our current experimental framework. [1]: https://wiki.debian.org/ReproducibleBuilds
Inventorying issues
The easiest way to find issues is to examine the list of packages failing to build reproducibly as found by continuous integration. The first packages in the list are the one who have been tried most recently.
Notes about packages are kept in the notes Git repository in packages.yml. The list of known common issues is kept in the issues.yml file.
The page for a given package should open on the debbindiff output. Read the list of known issues to get an idea of what you may found. Here are some more advices:
When a binary has mismatching mtimes for files in control.tar.gz, it means that they are not adjusted before creating the binary package.
Timestamps in gzip headers are a no-brainer.
When there's a mismatching Build ID in an executable, it means a variation happens during the compilation. Investigation can be done using sources.debian.net (see link at the top). First step should be a search for the __(DATE|TIME|TIMESTAMP)__ macros using codesearch. Otherwise, try to locate calls to date in configure.ac, Makefile.am, etc.
The clean-notes script in the misc repository will detect outdated notes and re-order packages by alphabetical order. It should be run before committing changes to the notes repository.
Fixing issues
Fixing reproducibility issues falls into two categories: either the problem is specific to a single package or the cause is the output of another package (then referenced as “toolchain” package).
Fixing a single package
The usual steps are:
Use debcheckout or apt-get source to retrieve the source code.
Do the changes. With packages using the 3.0 (quilt) format, dpkg-source --commit can be useful.
Update debian/changelog. New version is usually original version with .0~reproducible1.
Use dpkg-buildpackage -S to create source package.
Use the prebuilder script to test reproducibility. If the package is not reproducible, examine debbindiff output logs/PACKAGE.debbindiff.html or compare build logs logs/PACKAGE.build1 and logs/PACKAGE.build2, then repeat from step 2 unless the issue comes from another package. In that case, see about “toolchain” packages below.
Use debdiff or git format-patch to create patches.
?Create a new bug report, and don't forget to attach the patch!
Add an entry or reference the bug in packages.yml in notes.git.
Fixing a toolchain package
Fixing an issue in a package that affects the reproducibility of other packages requires some more steps, but the general process is the same:
Use debcheckout or apt-get source to retrieve the source code.
Do the changes. With packages using the 3.0 (quilt) format, dpkg-source --commit can be useful.
Update debian/changelog. New version is usually original version with .0~reproducible1.
Use pdebuild or gbp buildpackage to build the package.
Backup base-reproducible.tgz.
Use pbuilder --login --save-after-exec --basetgz base-reproducible.tgz to install the newly built package.
Test a package affected with prebuilder. If the issue is still not fixed, repeat from step 2.
If the package is in Git, use SSH to login on alioth.debian.org. Go to /git/reproducible. Use ./setup-repository to create a new repository. Push your changes to a (rebasable) pu/reproducible_builds branch.
Subscribe to the upload-source notification for the package on the Package Tracking System. This is needed so you don't forget to update the custom package when a new version hits the archive.
Upload the package to the reproducible APT repository.
Document the changes on the wiki.
Reference the bug in issues.yml in notes.git and on the wiki page about the issue if there's one.
Ask h01ger to reschedule affected packages. (Usually via the #debian-reproducible IRC channel, sometimes he might ask for emails instead. In theory we could also allow signed gpg mails to trigger that but so far manual rescheduling on demand has proven to work well.) One way to look them up: grep-dctrl -n -sPackage -FBuild-Depends $SOURCE_PACKAGE /var/lib/apt/lists/*Sources | sort -u
If the changes don't break anything, ?create a new bug report. Don't forget to attach patches and to use the toolchain usertag.
Working on the continuous integration platform
Several jobs have been created to regularly test packages (from sid main) on jenkins.debian.net. As a result there is the reproducible build overview of packages.
The setup is explained in this blog post only, but this post is somewhat outdated by now and needs to be amended.
See the various reproducible_* scripts in the Jenkins Git repository.
Working on installation media or live systems
Having installation and live systems which can be built reproducibly would also be great. There is an analyze_image bash script that creates sha512 hashes of all files included within an image, access rights, symlinks, parition table, bootloader and more. Doing this with two images that should match and comparing the reports the script creates can help to identify sources of non-determinism in images.
See also:
Does not have iso support yet. The autor (Patrick Schleizer) is interested to generalize the script for more generic, Debian use cases.