Hi, I'm kind of new to the concept of reproducible builds but it makes a lot of sense to me as far as I've been reading. I'm just trying to understand why the two `.deb` files I built at different times end up with different contents and how I can fix it. More details follow.
A few years ago, my project backported `golang-github-docker-docker-credential-helpers` `*0.5.0-2*` to Ubuntu 14.04 so we are building this package by ourselves. Our own maintained version is currently `*0.5.0-2+mvs2*`. Currently, my project is built on *Ubuntu 18.04*. Recently I ran into a build reproducibility issue when building this package. The first time I built the package was on *2020-09-18*; the second time we built it was on *2021-07-14.* I built the same version (`0.5.0-2+mvs2`) but ended up with different `.deb` files. (I believe the package we built in-house has had this issue for a long time but we didn't discover it until recently.) `diffoscope` shows there are several differences but the first difference I noticed is in `Built-Using` (the other differences are related to different build IDs): ``` ... │ Birth: - ├── DEBIAN │ ├── control │ │ @@ -1,15 +1,15 @@ │ │ Package: golang-docker-credential-helpers │ │ Source: golang-github-docker-docker-credential-helpers │ │ Version: 0.5.0-2+mvs2 │ │ Architecture: amd64 │ │ Maintainer: Debian Go Packaging Team < [email protected]> │ │ Installed-Size: 1515 │ │ Depends: libc6 (>= 2.14), libglib2.0-0 (>= 2.28.0), libsecret-1-0 (>= 0.7), gnome-keyring │ │ -Built-Using: golang-1.10 (= 1.10.4-2ubuntu1~18.04.2) │ │ +Built-Using: golang-1.10 (= 1.10.4-2ubuntu1~18.04.1) │ │ Section: devel │ │ Priority: extra │ │ Homepage: https://github.com/docker/docker-credential-helpers │ │ Description: Use native stores to safeguard Docker credentials │ │ The docker-credential-helpers package is a suite of programs to use │ │ the built-in OS native stores to keep Docker credentials safe. │ │ . ... (etc.) ``` The `control` file has the content as follows: ``` ... Package: golang-docker-credential-helpers Architecture: any Built-Using: ${misc:Built-Using} Depends: ${shlibs:Depends}, ${misc:Depends}, libsecret-1-0, gnome-keyring ... (etc.) ``` I also skimmed the source code of `dh_golang`. It looks like that, if I understand the code correctly, `dh_golang` runs `go version` to figure out the used version of Go (`1.10.4` in my case) and then just uses the currently available version of `golang-1.10` to replace the variable `${misc:Built-Using}`. Back on 2020-09-18, `golang-1.10 1.10.4-2ubuntu1~18.04.1` was available so this specific version was used; fast forward to 2021-07-14, `1.10.4-2ubuntu1~18.04.1` was no longer available (I didn't see it in `apt-cache policy`) but `1.10.4-2ubuntu1~18.04.2` was available, so `1.10.4-2ubuntu1~18.04.2` was used to build the `.deb` file. Hence the different `Built-Using` values in the two `.deb` files. I have some thoughts and questions regarding the possible fixes to the issue: 1). *Would it be helpful if I do not use the variable `${misc:Built-Using}` but hard-code the specific version in `control`?* But hard-coding the specific version may cause problems in the future when the specified version of `golang-1.10` becomes unavailable. 2). *Can I simply remove the use of `${misc:Built-Using}`?* This email ( https://lists.debian.org/debian-go/2018/09/msg00010.html) says "we're now against the policy" which seems to suggest `Built-Using` is not appropriate here. But if I understand the email correctly, even if this "against policy" issue were fixed, I would still run into the same issue because some other field "X-Go-Built-Using" would be used, so I think simply removing `Built-Using` is not right. 3). The unavailability of the older version `1.10.4-2ubuntu1~18.04.1` of `golang-1.10` seems to suggest that, if I want to truly achieve reproducible builds, I can't just rely on the external environment. For example, my project doesn't maintain our own copy of `golang-1.10` so when the version `1.10.4-2ubuntu1~18.04.1` is no longer available for use on the official Ubuntu package server, we can't reproduce the build we made before. *But does this further suggest that we would have to maintain our own copy of every package that `golang-docker-credential-helpers` depends on?* That doesn't sound right to me, or maybe I haven't understood how the reproducible builds should work. Any suggestions? Thanks! Best, Yaobin -- Mine Vision Systems <https://www.minevisionsystems.com/> 5877 Commerce St. Suite 118 Pittsburgh PA, USA, 15206
