On 2024-03-29, Vagrant Cascadian wrote: > So far, I have not found any reproducibility issues; everything I tested > I was able to get to build bit-for-bit identical with what is in the > Debian archive. > > I only tested bookworm security updates (not bullseye) ... > Not yet finished building: > > openvswitch
So, the builds of openvswitch failed in the test suite... ... I performed another build with tests disabled, and the amd64 packages were bit-for-bit identical, but one of the arch:all packages, "openvswitch-source" had an already known issue; embedded information (username, uid, group, gid, timestamp ...) in the included tarball. This matches the previous version tested in the reproducible builds test infrastructure: https://tests.reproducible-builds.org/debian/dbdtxt/bookworm/amd64/openvswitch_3.1.0-2.diffoscope.txt.gz This is an explanable issue and I would say does not indicate anything surprising or unexpected or malicious, just unfortunate that it is not bit-for-bit reproducible, as it actually requires analysis! The good news is that newer versions (~3.2.2+) in Debian trixie and unstable of "openvswitch-source" fix this by shipping the source in a directory rather than a tarball, which dpkg normalizes when generating the .deb. So at least for future versions this issue is already fixed. live well, vagrant
signature.asc
Description: PGP signature
