Bug#810509: apt: please make the build reproducible (randomness)

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#810509: apt: please make the build reproducible (randomness)
From: Mattia Rizzolo <mattia@debian.org>
Date: Sat, 9 Jan 2016 10:51:58 +0000
Message-id: <[🔎] 20160109105158.GA26357@chase.mapreri.org>
Reply-to: Mattia Rizzolo <mattia@debian.org>, 810509@bugs.debian.org

Source: apt
Version: 1.1.10
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Hi!

While working on the “reproducible builds” effort [1], we have noticed
that apt could not be built reproducibly.

The attached patch removes extra randomness from the build system,
ensuring a stable file order when linking the built object.
This particular issues is currently visible only on our armhf builds due
to a limit in our infrastructure, but can be tested by performing the
builds using the fuse fs disorderfs.

Once applied, apt can be built reproducibly in our current experimental
framework.

 [1]: https://wiki.debian.org/ReproducibleBuilds

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  http://mapreri.org                              : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-

From 18405011c3cdb8eff2f41fe674787f746092b27e Mon Sep 17 00:00:00 2001
From: Mattia Rizzolo <mattia@debian.org>
Date: Sat, 9 Jan 2016 10:45:34 +0000
Subject: [PATCH] fix reproducibly issue due to readdir() order by sorting the
 list of sources to be built and linked

---
 apt-inst/makefile    | 4 ++--
 apt-pkg/makefile     | 4 ++--
 apt-private/makefile | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/apt-inst/makefile b/apt-inst/makefile
index 2883cbc..5601cd9 100644
--- a/apt-inst/makefile
+++ b/apt-inst/makefile
@@ -20,7 +20,7 @@ SLIBS=$(PTHREADLIB) -lapt-pkg
 APT_DOMAIN:=libapt-inst$(MAJOR)
 LIBRARYDEPENDS=$(LIB)/libapt-pkg.so
 
-SOURCE = $(wildcard *.cc */*.cc)
-HEADERS = $(addprefix apt-pkg/,$(notdir $(wildcard *.h */*.h)))
+SOURCE = $(sort $(wildcard *.cc */*.cc))
+HEADERS = $(addprefix apt-pkg/,$(notdir $(sort $(wildcard *.h */*.h))))
 
 include $(LIBRARY_H)
diff --git a/apt-pkg/makefile b/apt-pkg/makefile
index 9236f81..e3e6e20 100644
--- a/apt-pkg/makefile
+++ b/apt-pkg/makefile
@@ -31,7 +31,7 @@ SLIBS+= -llz4
 endif
 APT_DOMAIN:=libapt-pkg$(LIBAPTPKG_MAJOR)
 
-SOURCE = $(wildcard *.cc */*.cc)
-HEADERS = $(addprefix apt-pkg/,$(notdir $(wildcard *.h */*.h)))
+SOURCE = $(sort $(wildcard *.cc */*.cc))
+HEADERS = $(addprefix apt-pkg/,$(notdir $(sort $(wildcard *.h */*.h))))
 
 include $(LIBRARY_H)
diff --git a/apt-private/makefile b/apt-private/makefile
index 9a3fbdb..1934db1 100644
--- a/apt-private/makefile
+++ b/apt-private/makefile
@@ -15,7 +15,7 @@ MINOR=0
 SLIBS=$(PTHREADLIB) -lapt-pkg
 CXXFLAGS += -fvisibility=hidden -fvisibility-inlines-hidden
 
-SOURCE = $(wildcard *.cc)
-HEADERS = $(addprefix apt-private/,$(wildcard *.h))
+SOURCE = $(sort $(wildcard *.cc))
+HEADERS = $(addprefix apt-private/,$(sort $(wildcard *.h)))
 
 include $(LIBRARY_H)
-- 
2.7.0.rc3

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: Bug#810509 in apt marked as pending
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#810509: marked as done (apt: please make the build reproducible (randomness))
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Re: APT 1.2 preview uploaded to experimental -- please test
Next by Date: Bug#810365: [apt] Temporary failure resolving xxxx even when the network is up and running
Previous by thread: apt_1.2~exp1_source.changes ACCEPTED into experimental
Next by thread: Processed: Bug#810509 in apt marked as pending
Index(es):
- Date
- Thread