Source: cdbs Severity: normal Tags: patch X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org User: reproducible-bui...@lists.alioth.debian.org Usertags: toolchain
Dear Maintainer, I'm an occasional volunteer contributor to the Reproducible Builds[1] project, and noticed recently that a reasonably large (1000+) number of Haskell packages fail to rebuild deterministically according to the https://reproduce.debian.net test infrastructure. I believe that the cause relates to the fact that the affected packages use the cdbs build system, often by means of include statements in their rules files, when build their documentation binary packages (*-doc). In particular, a default-enabled call to dh-buildinfo in the debhelper.mk.in template[2] inhibits rebuild reproducibility for the packages, because the 'buildinfo_*.gz' files produced in the resulting output Debian binary packages contain package-and-version information from the build host -- particularly Essential set packages -- that may change over time despite having no influence on other content in the binary documentation package. I discovered this after attempting a local rebuild of src:haskell-time-parsers and finding that the 'login' package mentioned in the 'buildinfo_all.gz' file was different between my local libghc-time-parsers-doc_0.2-2_all.deb build output and the version of that file hosted in the Debian archive. The preferred format[4] to declare the relevant set of build dependencies to (re)construct a Debian binary package identically from source is .buildinfo[5], and I believe that this offers a replacement for the dh-buildinfo call. I would like to request that dh-buildinfo is removed from the build-deps for the build-depends that it generates[2] for packages that use cdbs as a buildsystem. I suggest this (with patch attached) as a way to allow package maintainers to opt-in to continuing to use dh-buildinfo for their packages if they want to by adding it to their build-dep(-indep) clauses, while simultaneously allowing the majority of packages to achieve more future-proof build reproducibility. Regards, James [1] - https://reproducible-builds.org [2] - https://sources.debian.org/src/cdbs/0.4.166/1/rules/debhelper.mk.in/#L105-L106 [3] - https://manpages.debian.org/bookworm/devscripts/debrebuild.1.en.html [4] - https://reproducible-builds.org/tools/ [5] - https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles
From: James Addison <j...@jp-hosting.net> Date: Sat, 23 Nov 2024 20:26:42 +0000 Subject: Remove default addition of dh-buildinfo build-dep The dh_buildinfo helper produces a list of dependencies found on the build host, to aid downstream sites rebuilding from source. However, this file can in fact inhibit reproducibility, because some dependencies that vary on the build host may not be relevant to the build process. A more recent and preferred format of the Reproducible Builds[1] project that achieves the same goal for Debian packages is the .buildinfo format; as of Y2024 these files are widely used and are in active use verifying bit-for-bit package (re)build integrity. So, remove the default dependency on dh-buildinfo; individual package maintainers may choose to enable it if they wish to. --- Index: cdbs-0.4.166/1/rules/debhelper.mk.in =================================================================== --- cdbs-0.4.166.orig/1/rules/debhelper.mk.in +++ cdbs-0.4.166/1/rules/debhelper.mk.in @@ -102,9 +102,6 @@ CDBS_BUILD_DEPENDS_rules_debhelper_v10 ? CDBS_BUILD_DEPENDS_rules_debhelper_v$(DH_COMPAT) ?= debhelper (>= $(DH_COMPAT)~) CDBS_BUILD_DEPENDS +=, $(CDBS_BUILD_DEPENDS_rules_debhelper_v$(DH_COMPAT)) -CDBS_BUILD_DEPENDS_rules_debhelper_buildinfo ?= dh-buildinfo -CDBS_BUILD_DEPENDS +=, $(CDBS_BUILD_DEPENDS_rules_debhelper_buildinfo) - ifeq ($(DEB_VERBOSE_ALL), yes) DH_VERBOSE = 1 endif
