Differences between revisions 1 and 2
Revision 1 as of 2015-01-06 17:19:12
Size: 2684
Editor: Lunar
Comment: move old issues away from howto
Revision 2 as of 2015-01-06 17:33:59
Size: 2816
Editor: Lunar
Comment: move one item
Deletions are marked like this. Additions are marked like this.
Line 54: Line 54:

== Files in data.tar contain timestamps ==

 * [[ReproducibleBuilds/TimestampInGhcInterfaces|Timestamps in ghc --show-ifaces]]

Here's some details about issues that were preventing packages to build reproducibly and who has been fixed or worked around in Debian. This is mainly intended as a reference for developers and packagers working on other projects.

Files in data.tar.gz contains build paths

The build path is embedded in DWARF sections of ELF files among other types of file generated during builds. This has proven a real headache to fix after the path have been captured.

We are thus going to make mandatory to build package in a directory named like /usr/src/debian/hello-2.8-1.

As a bonus, this means that it will be easier to unpack packages in this canonical location for use with tools looking at the source code like gdb.

Generation of files in data.tar depends on (pseudo-)randomness

Now fixed:

{data,control}.tar.{gz,xz,bz2} will store files in readdir order

This is dependent on an accident of filesystem layout at build time, so it would sometimes not be reproducible.

We should probably fix this in dpkg by sorting the contents of the tar files.

Changes are discussed in 719845. Test case patch for pkg-tests. Patches that fork `sort` to get a stable order for files in control and data archives.

Files generated by debhelper depend on readdir order

At least the shlibs files generated by dh_makeshlibs depends on the order returned by find(1). There might be other debhelper programs with the same issue.

Randomness in control file

Now fixed:

.deb ar-archive header contains a timestamp

.deb are ar-archives. The header currently contains the “current time”.

759999 contains patches against dpkg that will preset the timestamp to the time of the latest entry of debian/changelog when a package is built using dpkg-buildpackage.

XSLT generate-id() is non-deterministic

XSLT's generate-id() function is explicitly allowed by the XSLT spec to be non-deterministic, and is frequently implemented using memory addresses of XML nodes, which are of course non-deterministic thanks to ASLR. Consequentially, files that are generated by XSLT (typically documentation) that include the result of generate-id() in their output do not build deterministically.

piuparts, which uses xmlto to generate documentation, is affected by this.

Files in data.tar contain timestamps