-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2016-02-17 22:07, Christian Boltz wrote:
Am Mittwoch, 17. Februar 2016 schrieb Bernhard M. Wiedemann:
now I had some time to look into how reproducible our builds are and had a VM (with 4 cores) build all Leap 42.1 packages named a*
using some helper scripts, which I uploaded to https://github.com/bmwiedemann/reproducibleopensuse
with those helpers, I just had to do rebuildmany a* comparemany a*
btw: the rebuild of those 217 packages took 382 minutes
of those 217 (a small subset of Leap's 7830), build-compare reported a diff for 36 packages
and if you wonder, those are a2ps acct aegisub aespipe allegro alpine amanda amor anjuta anthy antlr apache-commons-cli apache-commons-codec apache-commons-collections apache-commons-email apache-commons-io apache-commons-lang apache-portlet-1_0-api apel appframework aqbanking argyllcms arts asl asm3 aspell aspell-en atmel-firmware autoconf-el autogen autoyast2 avfs avogadro avrdude awesome axis
I just checked the Debian result for some of them on https://tests.reproducible-builds.org/reproducible.html and interestingly, several of the packages you listed above are reproducible on Debian: acct, aegisub, aespipe, anthy, apel, asl, aspell, autogen, avogadro, avrdude.
I know the reproducible builds team at Debian is actively pushing patches to make the build reproducible, but I'm not sure if they were able to fix that many packages already (10 out of 36 - actually I should probably say 10 out of ~25 because some of the packages you listed don't exist in Debian, at least not with this name).
I think, they are very active and use latest upstream versions, possibly with extra patches, while I tested with Leap, which is an older codebase, but Factory was too fast-moving for me to test with atm.
Some diffs could also be caused by the fact that we do not always rebuild all dependent packages on changes. That could be avoided by doing it like the debian guys - rebuilding twice in two very different contexts.
Can you upload the differences for the packages you tested somewhere so that interested people don't need to rebuild everything just to get the diff?
Oh, BTW - maybe having some variables in your scripts instead of hardcoded paths would be nice ;-)
yep, it is an early alpha and certainly on the TODO list.
I was curious and tried with aspell. The compare result is:
/dev/shm/reproducibleopensuse/openSUSE:Leap:42.1/aspell/binaries /dev/shm/reproducibleopensuse/openSUSE:Leap:42.1/aspell /dev/shm/reproducibleopensuse/openSUSE:Leap:42.1/aspell Comparing aspell-0.60.6.1-18.4.x86_64.rpm to aspell-0.60.6.1-0.x86_64.rpm comparing rpmtags --- /tmp/tmp.2P0iOiEtHL/tmp.jsMGUlvr4J 2016-02-17 21:34:31.060962628 +0100 +++ /tmp/tmp.2P0iOiEtHL/tmp.5h81k6Lq48 2016-02-17 21:34:31.068962571 +0100 @@ -9,7 +9,7 @@ has many other technical enhancements over Ispell, such as using shared memory for dictionaries and intelligently handling personal dictionaries when more than one Aspell process is open at once. - openSUSE openSUSE Leap 42.1 obs://build.opensuse.org/openSUSE:Leap:42.1/standard/dd3d6bcef5a4f7fe0
GFDL-1.1+ and LGPL-2.1 and HPND and SUSE-BSD-Mark-Modifications
GFDL-1.1+ and LGPL-2.1 and HPND and SUSE-BSD-Mark-Modifications + openSUSE openSUSE Leap 42.1 (none) GFDL-1.1+ and LGPL-2.1 and HPND and SUSE-BSD-Mark-Modifications GFDL-1.1+ and LGPL-2.1 and HPND and SUSE-BSD-Mark-Modifications Productivity/Text/Spell http://aspell.net/ (none) (none) (none) (none) 4.11.2 x86_64-suse-linux cpio lzma 5 comparing RELEASE comparing PROVIDES comparing scripts comparing filelist comparing file checksum creating rename script RPM meta information is identical Extracting packages Package content is identical
[...same for other subpackages...]
It seems the only difference is in the rpmtags - (none) vs. obs://build.opensuse.org/openSUSE:Leap:42.1/standard/dd3d6bcef5a4f7fe0
Is this really a relevant difference, or should it be whitelisted
that is what I did with https://github.com/bmwiedemann/reproducibleopensuse/blob/master/build-co mpare.diff but not yet in a nice upstreamable way.
for aspell (and only this 1 of 36) I found, that is is reproducible when building with osc build --vm-type=kvm but when using the default chroot, it shows
comparing filelist @@ -1,8 +1,8 @@ /usr/bin/aspell 0 (none) 100755 root root 0 4294967295 /usr/bin/aspell-import 0 (none) 100755 root root 0 4294967295 - -/usr/bin/precat 0 (none) 100755 root root 0 4294967295 - -/usr/bin/preunzip 0 (none) 120777 root root 0 4294967295 precat - -/usr/bin/prezip 0 (none) 120777 root root 0 4294967295 precat +/usr/bin/precat 0 (none) 120777 root root 0 4294967295 prezip +/usr/bin/preunzip 0 (none) 120777 root root 0 4294967295 prezip +/usr/bin/prezip 0 (none) 100755 root root 0 4294967295 /usr/bin/prezip-bin 0 (none) 100755 root root 0 4294967295 /usr/bin/run-with-aspell 0 (none) 100755 root root 0 4294967295 /usr/bin/word-list-compress 0 (none) 100755 root root 0 4294967295 comparing file checksum creating rename script RPM file checksum differs. Extracting packages @@ -1 +0,0 @@ - -precat symlink target for /usr/bin/prezip differs
probably from the brp-symlink doing things differently in that context.
Hmm, actually $?=0, so on my system it _is_ reproducible. What did I do wrong? ;-)
I also tried aespipe, and get a real difference. Maybe someone should compare the openSUSE package with the Debian package to find out what they do different to make the package reproducible ;-)
e.g. https://www.zq1.de/~bernhard/linux/reproducibleopensuse/compare/alpine-c ompare.out (and some others) shows an embedded ASCII date in 2 binaries.
Ciao Bernhard M.