Reproducible builds/Status
Arch Linux is constantly rebuilding core and extra packages and has a status page. This page contains a status of bad packages and what needs to be fixed.
Issues
General
- A rebuild is required for all packages build with pacman < 5.2 to resolve file order issues and a btrfs size bug. For the file order issue the affecting extra packages can be found running the following one liner on a mirror directory:
for i in /srv/ftp/extra/os/x86_64/*.pkg.tar.??; do
bsdtar -tf $i | grep "^\." > pkg-order
sort pkg-order > sort-order
if ! diff pkg-order sort-order &>/dev/null; then
echo $i;
fi
rm pkg-order sort-order
done
File order rebuild FTBFS
accounts-qml-module-0.7-2-x86_64.pkg.tar.xz archboot-2019.03-1-any.pkg.tar.xz cmark-0.29.0-1-x86_64.pkg.tar.xz gtk-sharp-2-2.12.45-2-x86_64.pkg.tar.xz guile1.8-1.8.8-7-x86_64.pkg.tar.xz java11-openjfx-11.0.3.u1-1-x86_64.pkg.tar.xz java11-openjfx-doc-11.0.3.u1-1-x86_64.pkg.tar.xz java11-openjfx-src-11.0.3.u1-1-x86_64.pkg.tar.xz java8-openjfx-8.u202-3-x86_64.pkg.tar.xz java8-openjfx-doc-8.u202-3-x86_64.pkg.tar.xz java8-openjfx-src-8.u202-3-x86_64.pkg.tar.xz java-openjfx-13.u14-1-x86_64.pkg.tar.xz java-openjfx-doc-13.u14-1-x86_64.pkg.tar.xz java-openjfx-src-13.u14-1-x86_64.pkg.tar.xz jdk10-openjdk-10.0.2.u13-2-x86_64.pkg.tar.xz jre10-openjdk-10.0.2.u13-2-x86_64.pkg.tar.xz jre10-openjdk-headless-10.0.2.u13-2-x86_64.pkg.tar.xz jsonrpc-glib-3.34.0-1-x86_64.pkg.tar.xz libva-vdpau-driver-0.7.4-4-x86_64.pkg.tar.xz liferea-1.12.7-1-x86_64.pkg.tar.xz linux-atm-2.5.2-6-x86_64.pkg.tar.xz mono-tools-4.2-2-x86_64.pkg.tar.xz npapi-sdk-0.27.2-2-any.pkg.tar.xz nss_ldap-265-7-x86_64.pkg.tar.xz openjdk10-doc-10.0.2.u13-2-x86_64.pkg.tar.xz openjdk10-src-10.0.2.u13-2-x86_64.pkg.tar.xz pam_ldap-186-6-x86_64.pkg.tar.xz portaudio-1:19.6.0-6-x86_64.pkg.tar.xz qtav-1.13.0-1-x86_64.pkg.tar.xz
Packages with JAR files
JARs include a modification timestamp for each file, making them unreproducible. Depending on the build system, there are different solutions available for this.
Ant
Currently has no support for reproducible builds, see the upstream feature request.
Gradle
Should support reproducible builds out of the box.
Maven
Supports the project.build.outputTimestamp property that can be set to a fixed timestamp. Recent versions of Maven plugins respect this property to create reproducible artefacts. The property should be set in the project's pom.xml file, if upstream does not already do this, you can define it at compile time using a command like
mvn -Dproject.build.outputTimestamp="$SOURCE_DATE_EPOCH" clean package
It might be necessary to patch the project's pom.xml to update plugins to a more recent version with support for reproducible builds, see the Maven guide to reproducible builds for the minimum required versions and more information like additional necessary configuration options.
Example package (including a patch for a Maven plugin version update): junit-system-rules.
OpenJDK jar command
The builtin OpenJDK jar program will support SOURCE_DATE_EPOCH starting with OpenJDK version 15.
strip-nondeterminism
As a last resort, strip-nondeterminism from Debian is able to strip unreproducible metadata like file timestamps from a variety of file types, including JARs. It is not a cure-all (e.g. build systems might include additional unreproducible metadata in the JAR manifest, strip-nondeterminism removes some, but not all of these) and should only be used as a last resort if no native support for reproducible builds is available:
strip-nondeterminism --timestamp "$SOURCE_DATE_EPOCH"
Example package: pdftk.
KDE Kdeveloper project files
KDE creates Package App template .tar.bz2 files which tar files and userid is different when reproducing with repro which might be a bug in repro. https://gist.githubusercontent.com/jelly/570313f56ee59be7674ad4cc002232e7/raw/b85536690c48b23ce97650e8db8f0ca18c2dbf1a/gistfile1.txt
Doxygen documentation build with graphviz-2.44.0-2
graphviz lacked a dependency on libpng, making PNG generation unavailable in dot as graphviz was installed before libpng was available and therefore not marking it as to be dlopen'd. All packages which depend on doxygen for generation documentation and with the following diff require a rebuild.
│ │ --rw-r--r-- 0 root (0) root (0) 20234 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser.html │ │ --rw-r--r-- 0 root (0) root (0) 265 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.map │ │ --rw-r--r-- 0 root (0) root (0) 32 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.md5 │ │ --rw-r--r-- 0 root (0) root (0) 3136 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.png │ │ +-rw-r--r-- 0 root (0) root (0) 19961 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser.html │ │ +-rw-r--r-- 0 root (0) root (0) 598 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.dot
[core]
| Package | Issue | Solution/Patch | Assignee | Solved |
|---|---|---|---|---|
| audit | FTBFS with linux-headers 5.17+ | proposed | none | No |
| dmraid | FTBFS due to -Werror=format-security | proposed upstream on 2022-10-06 | none | No |
/etc/trusted-key.key differs | none | none | No | |
| File times within some .ads files | none | none | No | |
| ldns | binary containing source file name differ depending on makeflags | proposed upstream | none | No |
| missing files when building with /bin/sh = dash | merged but not released (latest release 0.3.2 from 2021-03) | none | No | |
| linux | Signed modules | none | none | No |
| lots of issues - ordering, linking, ... | none | none | No | |
| diff | none | none | No | |
| as for linux | none | none | No | |
| linux-lts-docs | as for | none | none | No |
| as for | none | none | No | |
| Binary differences in from shlibsign | none | none | No | |
| perl | timestamp, uname encoded in build | none | none | No |
| FTBFS | proposed in issue | none | No |
[extra]
| Package | Issue | Solution/Patch | Assignee | Solved |
|---|---|---|---|---|
| and | none | none | No | |
| size issue - FTBFS during rebuild | none | none | No | |
| amdvlk | many differences in | none | none | No |
| .jar file differences | none | none | No | |
| ant-doc | lots of timestamps (javadoc), and .zip file difference | none | none | No |
| none | none | No | ||
| Adding files to backup array needs sorting, | none | none | No | |
| Dates in html and info. PDF document differences (dates?) | none | none | No | |
Timestamp in man pages, sr/share/autogen/libopts-42.1.17.tar.gz with different file ownership, and a small binary change in | need export MAN_PAGE_DATE=... and configure --enable-timeout=70 | none | No | |
| uname and timestamps all over the place | none | none | No | |
| breezy | 3.0.2.3-3 reproducible with both repro and makechrootpkg | tooling issue? | none | No |
| none | none | No | ||
| lots of texi2html timestamps | none | none | No | |
| binary difference in | none | none | No | |
| ip address; timestamps in ps docs, likely much more | none | none | No | |
Profile ID differs in and binary differences in usr/lib/colord | none | none | No | |
| timestamp (from toluapp) and uname (at minimum) | none | none | No | |
| .pyc file, .egg files | none | none | No | |
| doxygen-docs | lots of pdfs with differences | none | none | No |
| uname, timestamp, gzip, lots of other binary differences | none | none | No | |
| .jar file | none | none | No | |
| has binary differences | none | none | No | |
| lots of binary differences | none | none | No | |
| pdf differences, including dates | none | none | No | |
| emacs | binary differences in | none | none | No |
Small ordering diff in /usr/share/doc/ECM/ExtraCMakeModules.qch | none | none | No | |
| It is firefox ; PGO? | bug + patch | none | No | |
| FTBFS with repro. Timestamp inside man pages | none | none | No | |
| Binary differences in fontforge and some libraries | none | none | No | |
| user/group names of files in | none | none | No | |
file attribute(?) differences in usr/share/java/{libbluray{,-awt}-j2se-1.2.0.jar | none | none | No | |
| Binary differences in | none | none | No | |
| uname in | none | none | No | |
/usr/lib/python2.7/site-packages/gi/overrides/IBus.pyc and have differences | none | none | No | |
| FTBFS under repro. makerepropkg - many differences everywhere... | none | none | No | |
| none | none | No | ||
| libmp4v2 | timestamp in & | none | none | No |
| timestamp in | none | none | No | |
timestamp in yaml files, usr/share/lirc/lirc-0.10.1.tar.gz has lots of timestamp differences, repro causes poll() detection issue not found in makerepropkg | patch | none | No | |
| .pyc files, also some test .pyc files missing | none | none | No | |
| Lots of timestamps in files, gzip timestamps, randomly(?) generated paths in , binary differences... | none | none | No | |
uname in , build with vendored dependencies (miniupncpc which contains uname -r) | none | none | No | |
| Timestamp in | none | none | No | |
| diff Weird text differences in | none | none | No |
[multilib]
| Package | Issue | Solution/Patch | Assignee | Solved |
|---|---|---|---|---|
| Binary includes build date | proposed | none | No |