Reproducible builds/Status

Arch Linux is constantly rebuilding core and extra packages and has a status page. This page contains a status of bad packages and what needs to be fixed.

Issues

General

A rebuild is required for all packages build with pacman < 5.2 to resolve file order issues and a btrfs size bug. For the file order issue the affecting extra packages can be found running the following one liner on a mirror directory:

for i in /srv/ftp/extra/os/x86_64/*.pkg.tar.??; do
   bsdtar -tf $i | grep "^\." > pkg-order
   sort pkg-order > sort-order
   if ! diff pkg-order sort-order &>/dev/null; then
     echo $i;
   fi
   rm pkg-order sort-order
done

File order rebuild FTBFS

accounts-qml-module-0.7-2-x86_64.pkg.tar.xz
archboot-2019.03-1-any.pkg.tar.xz
cmark-0.29.0-1-x86_64.pkg.tar.xz
gtk-sharp-2-2.12.45-2-x86_64.pkg.tar.xz
guile1.8-1.8.8-7-x86_64.pkg.tar.xz
java11-openjfx-11.0.3.u1-1-x86_64.pkg.tar.xz
java11-openjfx-doc-11.0.3.u1-1-x86_64.pkg.tar.xz
java11-openjfx-src-11.0.3.u1-1-x86_64.pkg.tar.xz
java8-openjfx-8.u202-3-x86_64.pkg.tar.xz
java8-openjfx-doc-8.u202-3-x86_64.pkg.tar.xz
java8-openjfx-src-8.u202-3-x86_64.pkg.tar.xz
java-openjfx-13.u14-1-x86_64.pkg.tar.xz
java-openjfx-doc-13.u14-1-x86_64.pkg.tar.xz
java-openjfx-src-13.u14-1-x86_64.pkg.tar.xz
jdk10-openjdk-10.0.2.u13-2-x86_64.pkg.tar.xz
jre10-openjdk-10.0.2.u13-2-x86_64.pkg.tar.xz
jre10-openjdk-headless-10.0.2.u13-2-x86_64.pkg.tar.xz
jsonrpc-glib-3.34.0-1-x86_64.pkg.tar.xz
libva-vdpau-driver-0.7.4-4-x86_64.pkg.tar.xz
liferea-1.12.7-1-x86_64.pkg.tar.xz
linux-atm-2.5.2-6-x86_64.pkg.tar.xz
mono-tools-4.2-2-x86_64.pkg.tar.xz
npapi-sdk-0.27.2-2-any.pkg.tar.xz
nss_ldap-265-7-x86_64.pkg.tar.xz
openjdk10-doc-10.0.2.u13-2-x86_64.pkg.tar.xz
openjdk10-src-10.0.2.u13-2-x86_64.pkg.tar.xz
pam_ldap-186-6-x86_64.pkg.tar.xz
portaudio-1:19.6.0-6-x86_64.pkg.tar.xz
qtav-1.13.0-1-x86_64.pkg.tar.xz

Packages with JAR files

JARs include a modification timestamp for each file, making them unreproducible. Depending on the build system, there are different solutions available for this.

Ant

Currently has no support for reproducible builds, see the upstream feature request.

Gradle

Should support reproducible builds out of the box.

Maven

Supports the project.build.outputTimestamp property that can be set to a fixed timestamp. Recent versions of Maven plugins respect this property to create reproducible artefacts. The property should be set in the project's pom.xml file, if upstream does not already do this, you can define it at compile time using a command like

mvn -Dproject.build.outputTimestamp="$SOURCE_DATE_EPOCH" clean package

It might be necessary to patch the project's pom.xml to update plugins to a more recent version with support for reproducible builds, see the Maven guide to reproducible builds for the minimum required versions and more information like additional necessary configuration options.

Example package (including a patch for a Maven plugin version update): junit-system-rules.

OpenJDK jar command

The builtin OpenJDK jar program will support SOURCE_DATE_EPOCH starting with OpenJDK version 15.

strip-nondeterminism

As a last resort, strip-nondeterminism from Debian is able to strip unreproducible metadata like file timestamps from a variety of file types, including JARs. It is not a cure-all (e.g. build systems might include additional unreproducible metadata in the JAR manifest, strip-nondeterminism removes some, but not all of these) and should only be used as a last resort if no native support for reproducible builds is available:

strip-nondeterminism --timestamp "$SOURCE_DATE_EPOCH"

Example package: pdftk.

KDE Kdeveloper project files

KDE creates Package App template .tar.bz2 files which tar files and userid is different when reproducing with repro which might be a bug in repro. https://gist.githubusercontent.com/jelly/570313f56ee59be7674ad4cc002232e7/raw/b85536690c48b23ce97650e8db8f0ca18c2dbf1a/gistfile1.txt

The cmake file which generates the issue.

Doxygen documentation build with graphviz-2.44.0-2

graphviz lacked a dependency on libpng, making PNG generation unavailable in dot as graphviz was installed before libpng was available and therefore not marking it as to be dlopen'd. All packages which depend on doxygen for generation documentation and with the following diff require a rebuild.

│ │ --rw-r--r--   0 root         (0) root         (0)    20234 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser.html
│ │ --rw-r--r--   0 root         (0) root         (0)      265 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.map
│ │ --rw-r--r--   0 root         (0) root         (0)       32 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.md5
│ │ --rw-r--r--   0 root         (0) root         (0)     3136 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.png
│ │ +-rw-r--r--   0 root         (0) root         (0)    19961 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser.html
│ │ +-rw-r--r--   0 root         (0) root         (0)      598 2020-05-16 12:32:36.000000 usr/share/doc/grantlee/classGrantlee_1_1Parser__inherit__graph.dot

[core]

Package	Issue	Solution/Patch	Assignee	Solved
dnssec-anchors	`/etc/trusted-key.key` differs	none	none	No
gcc-ada	File times within some .ads files	none	none	No
linux	Signed modules	none	none	No
linux-docs	lots of issues - ordering, linking, ...	none	none	No
linux-headers	`/usr/lib/modules/*/build/vmlinux` diff^{[dead link 2021-11-15 ⓘ]}	none	none	No
linux-lts	as for linux	none	none	No
linux-lts-docs	as for linux-docs	none	none	No
linux-lts-headers	as for linux-headers	none	none	No
nss	Binary differences in `/usr/lib/lib{freebl3,freeblpriv3,softokn3}.chk` from shlibsign	none	none	No
perl	timestamp, uname encoded in build	none	none	No

[extra]

Package	Issue	Solution/Patch	Assignee	Solved
abiword	`usr/lib/python2.7/site-packages/gi/overrides/Abi.pyc` and `.pyo`	none	none	No
accounts-qml-module	`.BUILDINFO` size issue - FTBFS during rebuild	none	none	No
amdvlk	many differences in `usr/lib/amdvlk64.so`	none	none	No
ant	.jar file differences	none	none	No
ant-doc	lots of timestamps (javadoc), and .zip file difference	none	none	No
antlr2^AUR	`usr/share/java/antlr2.jar`	none	none	No
apparmor	Adding files to backup array needs sorting, `usr/lib/python3.8/site-packages/LibAppArmor/__pycache__/LibAppArmor.cpython-38.pyc`	none	none	No
archboot	FTBFS - missing dependencies	none	none	No
asymptote	Dates in html and info. PDF document differences (dates?)	none	none	No
autogen	Timestamp in man pages, `sr/share/autogen/libopts-42.1.17.tar.gz` with different file ownership, and a small binary change in `usr/bin/autogen`	need export MAN_PAGE_DATE=... and configure --enable-timeout=70	none	No
bigloo	uname and timestamps all over the place	none	none	No
breezy	3.0.2.3-3 reproducible with both repro and makechrootpkg	tooling issue?	none	No
brltty	`usr/share/java/brlapi.jar`	none	none	No
check-docs	lots of texi2html timestamps	none	none	No
chromaprint	binary difference in `usr/bin/fpcalc`	none	none	No
clisp	ip address; timestamps in ps docs, likely much more	none	none	No
colord	Profile ID differs in `usr/share/color/icc/colord/{Crayons,x11-colors}.icc` and binary differences in `usr/lib/colord`	none	none	No
conky	timestamp (from toluapp) and uname (at minimum)	none	none	No
deluge	.pyc file, .egg files	none	none	No
doxygen-docs	lots of pdfs with differences	none	none	No
ecl	uname, timestamp, gzip, lots of other binary differences	none	none	No
eclipse-ecj	.jar file	none	none	No
efitools	`/usr/share/efitools/efi/LockDown.efi` has binary differences	none	none	No
efl	lots of binary differences	none	none	No
efl-docs	pdf differences, including dates	none	none	No
emacs	binary differences in `usr/bin/emacs`	none	none	No
extra-cmake-modules	Small ordering diff in `/usr/share/doc/ECM/ExtraCMakeModules.qch`	none	none	No
firefox	It is firefox ; PGO?	bug + patch	none	No
fontconfig	FTBFS with repro. Timestamp inside man pages	none	none	No
fontconfig-docs^{[broken link: package not found]}	Timestamp inside man pages	none	none	No
fontforge	Binary differences in fontforge and some libraries	none	none	No
libakonadi	user/group names of files in `usr/share/kdevappwizard/templates/akonadi{resource,serializer}.tar.bz2`	none	none	No
libbluray	file attribute(?) differences in `usr/share/java/{libbluray{,-awt}-j2se-1.2.0.jar`	none	none	No
libgee	Binary differences in `usr/lib/libgee-0.8.so.2.6.1`	none	none	No
libgtop	uname in `/usr/bin/libgtop_server2`	none	none	No
libibus	`/usr/lib/python2.7/site-packages/gi/overrides/IBus.pyc` and `.pyo` have differences	none	none	No
libjpeg-turbo	FTBFS under repro. makerepropkg - many differences everywhere...	none	none	No
liblangtag	`/usr/share/gir-1.0/LangTag-0.6.gir`	none	none	No
libmp4v2	timestamp in `usr/include/mp4v2/project.h` & `usr/lib/libmp4v2.so.2.0.0`	none	none	No
libquvi	timestamp in `libquvi-0.9-0.9.4.so`	none	none	No
lirc	timestamp in yaml files, `usr/share/lirc/lirc-0.10.1.tar.gz` has lots of timestamp differences, repro causes poll() detection issue not found in makerepropkg	patch	none	No
meson	.pyc files, also some test .pyc files missing	none	none	No
r	Lots of timestamps in files, gzip timestamps, randomly(?) generated paths in `/tmp/`, binary differences...	none	none	No
transmission-gtk	uname in `usr/bin/transmission-gtk`, build with vendored depencies (miniupncpc which contains `uname -r`)	none	none	No
zabbix-agent2	Timestamp in `/usr/bin/zabbix_agent2`	none	none	No
zeitgeist	diff^{[dead link 2021-11-15 ⓘ]} Weird text differences in `/usr/lib/libzeitgeist-2.0.so.0.0.0`	none	none	No