Hi,
I'm kind of new to the concept of reproducible builds but it makes a lot of sense to me as far as I've been reading. I'm just trying to understand why the two `.deb` files I built at different times end up with different contents and how I can fix it. More details follow.
A few years ago, my project backported `golang-github-docker-docker-credential-helpers` `0.5.0-2` to Ubuntu 14.04 so we are building this package by ourselves. Our own maintained version is currently `0.5.0-2+mvs2`. Currently, my project is built on Ubuntu 18.04.
Recently I ran into a build reproducibility issue when building this package. The first time I built the package was on 2020-09-18; the second time we built it was on 2021-07-14. I built the same version (`0.5.0-2+mvs2`) but ended up with different `.deb` files.
(I believe the package we built in-house has had this issue for a long time but we didn't discover it until recently.)
`diffoscope` shows there are several differences but the first difference I noticed is in `Built-Using` (the other differences are related to different build IDs):
```
...
│ Birth: -
├── DEBIAN
│ ├── control
│ │ @@ -1,15 +1,15 @@
│ │ Package: golang-docker-credential-helpers
│ │ Source: golang-github-docker-docker-credential-helpers
│ │ Version: 0.5.0-2+mvs2
│ │ Architecture: amd64
│ │ Maintainer: Debian Go Packaging Team <
pkg-go-maintainers@lists.alioth.debian.org>
│ │ Installed-Size: 1515
│ │ Depends: libc6 (>= 2.14), libglib2.0-0 (>= 2.28.0), libsecret-1-0 (>= 0.7), gnome-keyring
│ │ -Built-Using: golang-1.10 (= 1.10.4-2ubuntu1~18.04.2)
│ │ +Built-Using: golang-1.10 (= 1.10.4-2ubuntu1~18.04.1)
│ │ Section: devel
│ │ Priority: extra
│ │ Homepage:
https://github.com/docker/docker-credential-helpers│ │ Description: Use native stores to safeguard Docker credentials
│ │ The docker-credential-helpers package is a suite of programs to use
│ │ the built-in OS native stores to keep Docker credentials safe.
│ │ .
... (etc.)
```
The `control` file has the content as follows:
```
...
Package: golang-docker-credential-helpers
Architecture: any
Built-Using: ${misc:Built-Using}
Depends: ${shlibs:Depends},
${misc:Depends},
libsecret-1-0,
gnome-keyring
... (etc.)
```
I also skimmed the source code of `dh_golang`. It looks like that, if I understand the code correctly, `dh_golang` runs `go version` to figure out the used version of Go (`1.10.4` in my case) and then just uses the currently available version of `golang-1.10` to replace the variable `${misc:Built-Using}`. Back on 2020-09-18, `golang-1.10 1.10.4-2ubuntu1~18.04.1` was available so this specific version was used; fast forward to 2021-07-14, `1.10.4-2ubuntu1~18.04.1` was no longer available (I didn't see it in `apt-cache policy`) but `1.10.4-2ubuntu1~18.04.2` was available, so `1.10.4-2ubuntu1~18.04.2` was used to build the `.deb` file. Hence the different `Built-Using` values in the two `.deb` files.
I have some thoughts and questions regarding the possible fixes to the issue:
1). Would it be helpful if I do not use the variable `${misc:Built-Using}` but hard-code the specific version in `control`? But hard-coding the specific version may cause problems in the future when the specified version of `golang-1.10` becomes unavailable.
2).
Can I simply remove the use of `${misc:Built-Using}`? This email (
https://lists.debian.org/debian-go/2018/09/msg00010.html) says "we're now against the policy" which seems to suggest `Built-Using` is not appropriate here. But if I understand the email correctly, even if this "against policy" issue were fixed, I would still run into the same issue because some other field "X-Go-Built-Using" would be used, so I think simply removing `Built-Using` is not right.
3). The unavailability of the older version `1.10.4-2ubuntu1~18.04.1` of `golang-1.10` seems to suggest that, if I want to truly achieve reproducible builds, I can't just rely on the external environment. For example, my project doesn't maintain our own copy of `golang-1.10` so when the version `1.10.4-2ubuntu1~18.04.1` is no longer available for use on the official Ubuntu package server, we can't reproduce the build we made before. But does this further suggest that we would have to maintain our own copy of every package that `golang-docker-credential-helpers` depends on? That doesn't sound right to me, or maybe I haven't understood how the reproducible builds should work.
--