Reproducible builds/Status

Arch Linux is constantly rebuilding core and extra packages and has a status page. This page contains a status of bad packages and what needs to be fixed.

Issues

General

A rebuild is required for all packages build with pacman < 5.2 to resolve file order issues and a btrfs size bug. For the file order issue the affecting extra packages can be found running the following one liner on a mirror directory:

for i in /srv/ftp/extra/os/x86_64/*.pkg.tar.??; do
   bsdtar -tf $i | grep "^\." > pkg-order
   sort pkg-order > sort-order
   if ! diff pkg-order sort-order &>/dev/null; then
     echo $i;
   fi
   rm pkg-order sort-order
done

File order rebuild FTBFS

accounts-qml-module-0.7-2-x86_64.pkg.tar.xz
archboot-2019.03-1-any.pkg.tar.xz
cmark-0.29.0-1-x86_64.pkg.tar.xz
gtk-sharp-2-2.12.45-2-x86_64.pkg.tar.xz
guile1.8-1.8.8-7-x86_64.pkg.tar.xz
java11-openjfx-11.0.3.u1-1-x86_64.pkg.tar.xz
java11-openjfx-doc-11.0.3.u1-1-x86_64.pkg.tar.xz
java11-openjfx-src-11.0.3.u1-1-x86_64.pkg.tar.xz
java8-openjfx-8.u202-3-x86_64.pkg.tar.xz
java8-openjfx-doc-8.u202-3-x86_64.pkg.tar.xz
java8-openjfx-src-8.u202-3-x86_64.pkg.tar.xz
java-openjfx-13.u14-1-x86_64.pkg.tar.xz
java-openjfx-doc-13.u14-1-x86_64.pkg.tar.xz
java-openjfx-src-13.u14-1-x86_64.pkg.tar.xz
jdk10-openjdk-10.0.2.u13-2-x86_64.pkg.tar.xz
jre10-openjdk-10.0.2.u13-2-x86_64.pkg.tar.xz
jre10-openjdk-headless-10.0.2.u13-2-x86_64.pkg.tar.xz
jsonrpc-glib-3.34.0-1-x86_64.pkg.tar.xz
libva-vdpau-driver-0.7.4-4-x86_64.pkg.tar.xz
liferea-1.12.7-1-x86_64.pkg.tar.xz
linux-atm-2.5.2-6-x86_64.pkg.tar.xz
mono-tools-4.2-2-x86_64.pkg.tar.xz
npapi-sdk-0.27.2-2-any.pkg.tar.xz
nss_ldap-265-7-x86_64.pkg.tar.xz
openjdk10-doc-10.0.2.u13-2-x86_64.pkg.tar.xz
openjdk10-src-10.0.2.u13-2-x86_64.pkg.tar.xz
pam_ldap-186-6-x86_64.pkg.tar.xz
portaudio-1:19.6.0-6-x86_64.pkg.tar.xz
qtav-1.13.0-1-x86_64.pkg.tar.xz

Packages with JAR files

JARs include a modification timestamp for each file, making them unreproducible. Depending on the build system, there are different solutions available for this.

Ant

Currently has no support for reproducible builds, see the upstream feature request.

Gradle

Should support reproducible builds out of the box.

Maven

Supports the project.build.outputTimestamp property that can be set to a fixed timestamp. Recent versions of Maven plugins respect this property to create reproducible artefacts. The property should be set in the project's pom.xml file, if upstream does not already do this, you can define it at compile time using a command like

mvn -Dproject.build.outputTimestamp="$SOURCE_DATE_EPOCH" clean package

It might be necessary to patch the project's pom.xml to update plugins to a more recent version with support for reproducible builds, see the Maven guide to reproducible builds for the minimum required versions and more information like additional necessary configuration options.

Example package (including a patch for a Maven plugin version update): junit-system-rules.

OpenJDK jar command

The builtin OpenJDK jar program will support SOURCE_DATE_EPOCH starting with OpenJDK version 15.

strip-nondeterminism

As a last resort, strip-nondeterminism from Debian is able to strip unreproducible metadata like file timestamps from a variety of file types, including JARs. It is not a cure-all (e.g. build systems might include additional unreproducible metadata in the JAR manifest, strip-nondeterminism removes some, but not all of these) and should only be used as a last resort if no native support for reproducible builds is available:

strip-nondeterminism --timestamp "$SOURCE_DATE_EPOCH"

Example package: pdftk.

KDE Kdeveloper project files

KDE creates Package App template .tar.bz2 files which tar files and userid is different when reproducing with repro which might be a bug in repro. https://gist.githubusercontent.com/jelly/570313f56ee59be7674ad4cc002232e7/raw/b85536690c48b23ce97650e8db8f0ca18c2dbf1a/gistfile1.txt

The cmake file which generates the issue.

Doxygen documentation build with graphviz-2.44.0-2

graphviz lacked a dependency on libpng, making PNG generation unavailable in dot as graphviz was installed before libpng was available and therefore not marking it as to be dlopen'd. All packages which depend on doxygen for generation documentation and with the following diff require a rebuild.

│ │ --rw-r--r--   0 root         (0) root         (0)    20234 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser.html
│ │ --rw-r--r--   0 root         (0) root         (0)      265 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.map
│ │ --rw-r--r--   0 root         (0) root         (0)       32 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.md5
│ │ --rw-r--r--   0 root         (0) root         (0)     3136 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.png
│ │ +-rw-r--r--   0 root         (0) root         (0)    19961 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser.html
│ │ +-rw-r--r--   0 root         (0) root         (0)      598 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.dot

[core]

Package	Issue	Solution/Patch	Assignee	Solved
audit	FTBFS with linux-headers 5.17+	proposed	none	No
dmraid	FTBFS due to `-Werror=format-security`	proposed upstream on 2022-10-06	none	No
dnssec-anchors	differs	none	none	No
	File times within some .ads files	none	none	No
	binary containing source file name differ depending on makeflags	proposed upstream	none	No
	missing files when building with /bin/sh = dash	merged but not released (latest release 0.3.2 from 2021-03)	none	No
linux	Signed modules	none	none	No
linux-docs	lots of issues - ordering, linking, ...	none	none	No
	diff	none	none	No
	as for linux	none	none	No
	as for linux-docs	none	none	No
	as for	none	none	No
	Binary differences in from shlibsign	none	none	No
perl	timestamp, uname encoded in build	none	none	No
syslinux	FTBFS	proposed in issue	none	No

[extra]

Package	Issue	Solution/Patch	Assignee	Solved
	and	none	none	No
	size issue - FTBFS during rebuild	none	none	No
	many differences in	none	none	No
	.jar file differences	none	none	No
ant-doc	lots of timestamps (javadoc), and .zip file difference	none	none	No
		none	none	No
	Adding files to backup array needs sorting, `usr/lib/python3.8/site-packages/LibAppArmor/__pycache__/LibAppArmor.cpython-38.pyc`	none	none	No
	Dates in html and info. PDF document differences (dates?)	none	none	No
	Timestamp in man pages, with different file ownership, and a small binary change in	need export MAN_PAGE_DATE=... and configure --enable-timeout=70	none	No
	uname and timestamps all over the place	none	none	No
breezy	3.0.2.3-3 reproducible with both repro and makechrootpkg	tooling issue?	none	No
		none	none	No
	lots of texi2html timestamps	none	none	No
	binary difference in `usr/bin/fpcalc`	none	none	No
	ip address; timestamps in ps docs, likely much more	none	none	No
	Profile ID differs in and binary differences in	none	none	No
conky	timestamp (from toluapp) and uname (at minimum)	none	none	No
	.pyc file, .egg files	none	none	No
	lots of pdfs with differences	none	none	No
	uname, timestamp, gzip, lots of other binary differences	none	none	No
	.jar file	none	none	No
	`/usr/share/efitools/efi/LockDown.efi` has binary differences	none	none	No
	lots of binary differences	none	none	No
	pdf differences, including dates	none	none	No
	binary differences in `usr/bin/emacs`	none	none	No
	Small ordering diff in	none	none	No
	It is firefox ; PGO?	bug + patch	none	No
	FTBFS with repro. Timestamp inside man pages	none	none	No
	Binary differences in fontforge and some libraries	none	none	No
	user/group names of files in `usr/share/kdevappwizard/templates/akonadi{resource,serializer}.tar.bz2`	none	none	No
	file attribute(?) differences in	none	none	No
	Binary differences in `usr/lib/libgee-0.8.so.2.6.1`	none	none	No
	uname in	none	none	No
	and have differences	none	none	No
	FTBFS under repro. makerepropkg - many differences everywhere...	none	none	No
	`/usr/share/gir-1.0/LangTag-0.6.gir`	none	none	No
	timestamp in &	none	none	No
libquvi	timestamp in	none	none	No
	timestamp in yaml files, has lots of timestamp differences, repro causes poll() detection issue not found in makerepropkg	patch	none	No
	.pyc files, also some test .pyc files missing	none	none	No
	Lots of timestamps in files, gzip timestamps, randomly(?) generated paths in , binary differences...	none	none	No
transmission-gtk	uname in , build with vendored dependencies (miniupncpc which contains )	none	none	No
	Timestamp in	none	none	No
zeitgeist	diff Weird text differences in	none	none	No

[multilib]

Package	Issue	Solution/Patch	Assignee	Solved
	Binary includes build date	proposed	none	No

gollark: I don't really like Nvidia because of their high prices ("justified" by useless-to-me stuff like RTX), the whole thing with CUDA only being available on their platforms, and their use of artificial segmentation of product lines.

gollark: Oh, I read that as "hate".

gollark: ???

gollark: Alas, Nvidia's accursed monopolization of much GPU computing stuff is accursed.

gollark: You would need a more expensive board for the 2970WX too.

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.