Re: Bug#805321: debian-installer: builds unreproducible netboot images

[Cyril Brulebois]

Hi,

Steven Chamberlain  (2016-01-11):
> Please could you or I:
> git cherry-pick ff722581b71778707551433e0b302e4c3a341619
> into master, as-is?
> 
> As described by:
> https://anonscm.debian.org/cgit/d-i/debian-installer.git/commit/?id=ff722581b71778707551433e0b302e4c3a341619
> this is needed for kfreebsd netboot images to be reproducible.  The
> required functionality is provided by makefs 20100306-6, now in
> sid+stretch.

Feel free to go ahead.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Re: Bug#805321: debian-installer: builds unreproducible netboot images

[Steven Chamberlain]

Hi KiBi,

Please could you or I:
git cherry-pick ff722581b71778707551433e0b302e4c3a341619
into master, as-is?

As described by:
https://anonscm.debian.org/cgit/d-i/debian-installer.git/commit/?id=ff722581b71778707551433e0b302e4c3a341619
this is needed for kfreebsd netboot images to be reproducible.  The
required functionality is provided by makefs 20100306-6, now in
sid+stretch.

Thanks,
Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#805321: [Reproducible-builds] Bug#805321: Bug#805321: debian-installer: builds unreproducible netboot images

[Mattia Rizzolo]

On Sat, Nov 28, 2015 at 12:08:44AM +, Steven Chamberlain wrote:
> > FWIW, I'm not exactly entirely convinced by the exporting of the
> > SOURCE_DATE_EPOCH variable from debian/rules; all other variables have
> > been passed without exporting so I'm wondering if we shouldn't adapt
> > this to behave like other variables, reducing possible surprise for
> > users.
> 
> Just to explain that -- if it's defined in the environment, it requires
> no special handling and doesn't need to be (re-)exported.  I think this
> is maybe the case now for dpkg-buildpackage in sid?

it's not, dpkg hasn't merged that patch (tbh I'm not even sure we
forwarded that). Though debhelper exports SOURCE_DATE_EPOCH when using
the dh sequencer.

-- 
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540  .''`.
more about me:  http://mapreri.org  : :'  :
Launchpad user: https://launchpad.net/~mapreri  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-


signature.asc
Description: PGP signature

Bug#805321: [Reproducible-builds] Bug#805321: debian-installer: builds unreproducible netboot images

[Steven Chamberlain]

Hi,

Cyril Brulebois wrote:
> I've cherry-picked 3 patches from there onto master locally and I'm
> currently running diffoscope to see how that goes (and it's taking
> ages…):

I'm guessing the initrd would differ if the Linux tool to generate it
stores timestamps.  If its compressed size varies much due to those
differences, the .iso block numbers may vary as a result.

> FWIW, I'm not exactly entirely convinced by the exporting of the
> SOURCE_DATE_EPOCH variable from debian/rules; all other variables have
> been passed without exporting so I'm wondering if we shouldn't adapt
> this to behave like other variables, reducing possible surprise for
> users.

Just to explain that -- if it's defined in the environment, it requires
no special handling and doesn't need to be (re-)exported.  I think this
is maybe the case now for dpkg-buildpackage in sid?

If the dpkg-buildpackage environment doesn't have SOURCE_DATE_EPOCH
(e.g. jessie), debian/rules sets it to the correct value, and so must
export that.

Or (for jessie or sid), in case build/Makefile is used directly, outside
of a package build, we set SOURCE_DATE_EPOCH to a dummy value ("now") if
undefined (since ../debian/changelog may not exist), which we need
when calling makefs from within that Makefile.  We export it for use by
gen-tarball to avoid duplication there.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#805321: [Reproducible-builds] Bug#805321: debian-installer: builds unreproducible netboot images

[Cyril Brulebois]

Cyril Brulebois  (2015-11-26):
> I've cherry-picked 3 patches from there onto master locally and I'm
> currently running diffoscope to see how that goes (and it's taking
> ages…):
>   c182491b05fec16497f2bf1290cac16773d175f9
>   5d59fd1813e794d0821c00757dd56fd9ca25ed16
>   d126622567cfbe10d7f8a207a292eaab622ef73e

The following files are different after two builds with debuild -b once
the 3 commits are applied:
./installer-amd64/20151024/images/cdrom/gtk/debian-cd_info.tar.gz
./installer-amd64/20151024/images/cdrom/gtk/initrd.gz
./installer-amd64/20151024/images/cdrom/initrd.gz
./installer-amd64/20151024/images/hd-media/boot.img.gz
./installer-amd64/20151024/images/hd-media/gtk/initrd.gz
./installer-amd64/20151024/images/hd-media/initrd.gz
./installer-amd64/20151024/images/netboot/debian-installer/amd64/initrd.gz
./installer-amd64/20151024/images/netboot/gtk/debian-installer/amd64/initrd.gz
./installer-amd64/20151024/images/netboot/gtk/netboot.tar.gz
./installer-amd64/20151024/images/netboot/netboot.tar.gz

I see at least timestamp issues in initramfses; this might be due to the
fact that pigz (installed in my development chroots) seems to need both
-n and -T to behave like gzip's -n.

I might poke a bit more around this before pushing.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#805321: [Reproducible-builds] Bug#805321: debian-installer: builds unreproducible netboot images

[Cyril Brulebois]

Hi,

Steven Chamberlain  (2015-11-22):
> I rewrote the patches according to KiBi's feedback and they are
> now uploaded to our jessie-kfreebsd suite, and this Git branch:
> https://anonscm.debian.org/cgit/d-i/debian-installer.git/log/?h=jessie-kfreebsd

I've cherry-picked 3 patches from there onto master locally and I'm
currently running diffoscope to see how that goes (and it's taking
ages…):
  c182491b05fec16497f2bf1290cac16773d175f9
  5d59fd1813e794d0821c00757dd56fd9ca25ed16
  d126622567cfbe10d7f8a207a292eaab622ef73e

> In my own testing on ZFS, file ordering was still an issue for the
> makefs tool that builds the initrd.  But if I were to try again
> on UFS, I hope to be able to reproduce the entire
> netboot-installer-images tarball as built by the buildds.
> 
> This tarball includes bits that are bundled onto the official release
> images by debian-cd tools.  Making this reproducible is a prerequisite
> for someday having reproducibly-built official release images.
> 
> I could merge these patches into sid if they seem okay?  The only
> commit that should not be merged is this one, which is specific to
> jessie-kfreebsd and must be slightly changed for sid:
>   kfreebsd: use makefs -T to clamp timestamps

I suppose your time is better spent actually working on kfreebsd so
that's why I decided to cherry-pick the patches myself.

FWIW, I'm not exactly entirely convinced by the exporting of the
SOURCE_DATE_EPOCH variable from debian/rules; all other variables have
been passed without exporting so I'm wondering if we shouldn't adapt
this to behave like other variables, reducing possible surprise for
users.

I don't think that's a showstopper for a push to master though; just
thinking out loud.

> I expect that Linux d-i builds will have some reproducibility issues
> in whatever generates the initrd or ISOs, but I may look into that
> after the jessie-kfreebsd release is done.

Sure thing, thanks again!

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#805321: [Reproducible-builds] Bug#805321: debian-installer: builds unreproducible netboot images

[Steven Chamberlain]

Hi,

I rewrote the patches according to KiBi's feedback and they are
now uploaded to our jessie-kfreebsd suite, and this Git branch:
https://anonscm.debian.org/cgit/d-i/debian-installer.git/log/?h=jessie-kfreebsd

In my own testing on ZFS, file ordering was still an issue for the
makefs tool that builds the initrd.  But if I were to try again
on UFS, I hope to be able to reproduce the entire
netboot-installer-images tarball as built by the buildds.

This tarball includes bits that are bundled onto the official release
images by debian-cd tools.  Making this reproducible is a prerequisite
for someday having reproducibly-built official release images.

I could merge these patches into sid if they seem okay?  The only
commit that should not be merged is this one, which is specific to
jessie-kfreebsd and must be slightly changed for sid:
kfreebsd: use makefs -T to clamp timestamps

I expect that Linux d-i builds will have some reproducibility issues
in whatever generates the initrd or ISOs, but I may look into that after
the jessie-kfreebsd release is done.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#805321: debian-installer: builds unreproducible netboot images

[Steven Chamberlain]

Package: debian-installer
Version: 20150422
Severity: wishlist
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertag: timestamps fileordering infrastructure
X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org
X-Debbugs-Cc: debian-...@lists.debian.org

Hi!

The debian-installer package build produces netboot.tar.gz and
the mini.iso netboot install media.  It doesn't do this in an easily
reproducible way:

  * the d-i initrd/mfsroot is a filesystem image, having variable
mtime/ctime/atime timestamps from package build time;
  * likewise in the generated mini.iso;
  * netboot.tar.gz also has varying timestamps;  the order of files
may also vary depending on the filesystem;
  * likewise in the cd info tarball;
  * likewise in the debian-installer-images tarball;
  * all gzipped outfile files have a timestamp in the header.

I have a patch aimed at jessie-kfreebsd that should fix all of the
above.  It should be possible to do the same in sid with much less
code, due to new GNU tar features and other reproducible builds work.

I've 'clamped' timestamps to be no later than the most recent
debian/changelog entry date.  That way, the non-useful timestamps
from during the build are adjusted to a constant value.  Older
timestamps, actually indicating how old a file is, are untouched.
The BUILD_DATE, actually the package version number, is unchanged.

Specifically on kfreebsd, the generated mfsroot is a ffs filesystem
having file atimes, and another timestamp in the filesystem superblock.
I intend to patch makefs so that it can clamp timestamps to a given
SOURCE_DATE_EPOCH.

Besides a file ordering issue in makefs, all output files including
netboot.tar.gz and mini.iso then seem to be reproducible for
jessie-kfreebsd, at least.  :)

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#805321: debian-installer: builds unreproducible netboot images

[Cyril Brulebois]

Hi,

Steven Chamberlain  (2015-11-17):
> Attached is my jessie-kfreebsd implementation.  As I said, it should be
> much cleaner to implement this in sid with newer GNU tar.
> 
> Regards,
> -- 
> Steven Chamberlain
> ste...@pyro.eu.org

> diff --git a/build/Makefile b/build/Makefile
> index ec5a084..6261a4d 100644
> --- a/build/Makefile
> +++ b/build/Makefile
> @@ -56,7 +56,7 @@
>  # Add to PATH so dpkg will always work, and so local programs will be found.
>  PATH := util:$(PATH):/usr/sbin:/sbin
>  EATMYDATA = $(shell which eatmydata 2>/dev/null)
> -GZIP = $(shell which pigz gzip | head -1)
> +GZIP = $(shell which pigz gzip | head -1) -n

I think I already added -n to a bunch of calls. Not sure whether adding
it here once and for all would be better than adding it where it's
missing though. Anyway, not my biggest question/comment/concern here.

>  # We don't want this to be run each time we re-enter.
>  ifndef DEB_HOST_ARCH
> @@ -149,7 +149,7 @@ MFSROOT_LIMIT := 68m
>  endif
>  
>  define mkfs.ufs1
> -  sh -c 'makefs -t ffs -s $(MFSROOT_LIMIT) -f 3000 -o minfree=0,version=1 
> $$0 ${TREE}'
> +  sh -c 'makefs -t ffs -T $(SOURCE_DATE_EPOCH) -s $(MFSROOT_LIMIT) -f 3000 
> -o minfree=0,version=1 $$0 ${TREE}'

Straightforward enough.

>  define e2fsck
> @@ -803,7 +803,14 @@ $(TEMP_MINIISO): $(TEMP_BOOT_SCREENS) arch_miniiso
>  
>  # various kinds of information, for use on debian-cd isos
>  $(DEBIAN_CD_INFO): $(TEMP_BOOT_SCREENS) $(TEMP_CD_INFO_DIR)
> - (cd $(TEMP_CD_INFO_DIR); tar czf - .) > $@
> + # Clamp timestamps to be no newer than last changelog entry, see
> + # https://wiki.debian.org/ReproducibleBuilds/TimestampsInTarball
> + find $(TEMP_CD_INFO_DIR) -newermt "@$(SOURCE_DATE_EPOCH)" -print0 | 
> xargs -0r touch --no-dereference --date="@$(SOURCE_DATE_EPOCH)"
> + # Create tarball with files sorted in a stable order, see
> + # https://wiki.debian.org/ReproducibleBuilds/FileOrderInTarballs
> + # and without timestamp in the gzip header, see
> + # https://wiki.debian.org/ReproducibleBuilds/TimestampsInGzipHeaders
> + ( cd $(TEMP_CD_INFO_DIR) && find . -print0 | LC_ALL=C sort -z | GZIP=-n 
> tar --no-recursion --null -T - -czf -) > $@
>   update-manifest $@ $(MANIFEST-DEBIAN_CD_INFO)

Once.

>  # a directory full of files for netbooting
> @@ -822,7 +829,14 @@ $(NETBOOT_TAR): $(TEMP_NETBOOT_DIR)
>   # Create an version info file.
>   echo 'Debian version:  $(DEBIAN_VERSION)' > 
> $(TEMP_NETBOOT_DIR)/version.info
>   echo 'Installer build: $(BUILD_DATE)' >> 
> $(TEMP_NETBOOT_DIR)/version.info
> - (cd $(TEMP_NETBOOT_DIR); tar czf - .) > $@
> + # Clamp timestamps to be no newer than last changelog entry, see
> + # https://wiki.debian.org/ReproducibleBuilds/TimestampsInTarball
> + find $(TEMP_NETBOOT_DIR) -newermt "@$(SOURCE_DATE_EPOCH)" -print0 | 
> xargs -0r touch --no-dereference --date="@$(SOURCE_DATE_EPOCH)"
> + # Create tarball with files sorted in a stable order, see
> + # https://wiki.debian.org/ReproducibleBuilds/FileOrderInTarballs
> + # and without timestamp in the gzip header, see
> + # https://wiki.debian.org/ReproducibleBuilds/TimestampsInGzipHeaders
> + ( cd $(TEMP_NETBOOT_DIR) && find . -print0 | LC_ALL=C sort -z | GZIP=-n 
> tar --no-recursion --null -T - -czf -) > $@

Twice.

>   update-manifest $@ $(MANIFEST-NETBOOT_TAR) $(UDEB_LISTS)
>  
>  $(TEMP_BOOT_SCREENS): arch_boot_screens
> diff --git a/build/config/x86.cfg b/build/config/x86.cfg
> index 3caadd2..b0fc9a2 100644
> --- a/build/config/x86.cfg
> +++ b/build/config/x86.cfg
> @@ -332,6 +332,11 @@ arch_miniiso: x86_syslinux x86_grub_efi
>   | todos > $(TEMP_CD_TREE)/win32-loader.ini; \
>   fi
>  
> + # Clamp timestamps to be no newer than last changelog entry, see
> + # https://wiki.debian.org/ReproducibleBuilds/TimestampsInTarball
> + find $(TEMP_CD_TREE) -newermt "$(SOURCE_DATE)" -print0 \
> +  | xargs -0r touch --no-dereference --date="$(SOURCE_DATE)"
> +

Refraining from writing “almost thrice”. [XXX]

>   if [ "$(GRUB_EFI)" = y ]; then \
>   xorriso -as mkisofs -r -J -b isolinux.bin -c boot.cat \
>   -no-emul-boot -boot-load-size 4 -boot-info-table \
> diff --git a/debian/changelog b/debian/changelog
> index 42aed37..09c8a02 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,21 @@
> +debian-installer (20150422+kbsd8u2) jessie-kfreebsd; urgency=medium
> +
> +  * Improve reproducibility of debian-installer netboot images:
> +(Closes: #805321)
> +- clamp timestamps in the d-i ramdisk to be no later than
> +  the most recent debian/changelog entry of this package
> +  - raise makefs dependency on >= 20100306-5+kbsd8u1
> +- clamp timestamps in the mini.iso similarly
> +- clamp timestamps in the netboot tarball;  store files in a
> +  stable order
> +- clamp timestamps in the cd info tarball;  store files 

Bug#805321: debian-installer: builds unreproducible netboot images

[Cyril Brulebois]

(Keeping everyone initially x-d-cc'd in the loop.)

Hi,

Steven Chamberlain  (2015-11-16):
> Package: debian-installer
> Version: 20150422
> Severity: wishlist
> Tags: patch

Where's the patch? :p

> The debian-installer package build produces netboot.tar.gz and
> the mini.iso netboot install media.  It doesn't do this in an easily
> reproducible way:
> 
>   * the d-i initrd/mfsroot is a filesystem image, having variable
> mtime/ctime/atime timestamps from package build time;
>   * likewise in the generated mini.iso;
>   * netboot.tar.gz also has varying timestamps;  the order of files
> may also vary depending on the filesystem;
>   * likewise in the cd info tarball;
>   * likewise in the debian-installer-images tarball;
>   * all gzipped outfile files have a timestamp in the header.
> 
> I have a patch aimed at jessie-kfreebsd that should fix all of the
> above.  It should be possible to do the same in sid with much less
> code, due to new GNU tar features and other reproducible builds work.

Please make sure not to depend on features which are not found in stable
(I'm not entirely sure about oldstable at this point), which might hinder
our ability to cherry-pick bits and pieces from master to jessie.

I know this might sound a bit silly since you're talking about targetting
jessie-kfreebsd anyway, but I'd like to point that out anyway, just in
case someone wants to rework/“simplify” your work later on.

> I've 'clamped' timestamps to be no later than the most recent
> debian/changelog entry date.  That way, the non-useful timestamps
> from during the build are adjusted to a constant value.  Older
> timestamps, actually indicating how old a file is, are untouched.
> The BUILD_DATE, actually the package version number, is unchanged.
> 
> Specifically on kfreebsd, the generated mfsroot is a ffs filesystem
> having file atimes, and another timestamp in the filesystem superblock.
> I intend to patch makefs so that it can clamp timestamps to a given
> SOURCE_DATE_EPOCH.
> 
> Besides a file ordering issue in makefs, all output files including
> netboot.tar.gz and mini.iso then seem to be reproducible for
> jessie-kfreebsd, at least.  :)

I don't have much knowledge in this area (or time to investigate right
away), so I'll probably let reproducible people comment on this once they
see your patch.

Mraw,
KiBi.


signature.asc
Description: Digital signature

Bug#805321: debian-installer: builds unreproducible netboot images

[Steven Chamberlain]

Attached is my jessie-kfreebsd implementation.  As I said, it should be
much cleaner to implement this in sid with newer GNU tar.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org
diff --git a/build/Makefile b/build/Makefile
index ec5a084..6261a4d 100644
--- a/build/Makefile
+++ b/build/Makefile
@@ -56,7 +56,7 @@
 # Add to PATH so dpkg will always work, and so local programs will be found.
 PATH := util:$(PATH):/usr/sbin:/sbin
 EATMYDATA = $(shell which eatmydata 2>/dev/null)
-GZIP = $(shell which pigz gzip | head -1)
+GZIP = $(shell which pigz gzip | head -1) -n
 
 # We don't want this to be run each time we re-enter.
 ifndef DEB_HOST_ARCH
@@ -149,7 +149,7 @@ MFSROOT_LIMIT := 68m
 endif
 
 define mkfs.ufs1
-  sh -c 'makefs -t ffs -s $(MFSROOT_LIMIT) -f 3000 -o minfree=0,version=1 $$0 ${TREE}'
+  sh -c 'makefs -t ffs -T $(SOURCE_DATE_EPOCH) -s $(MFSROOT_LIMIT) -f 3000 -o minfree=0,version=1 $$0 ${TREE}'
 endef
 
 define e2fsck
@@ -803,7 +803,14 @@ $(TEMP_MINIISO): $(TEMP_BOOT_SCREENS) arch_miniiso
 
 # various kinds of information, for use on debian-cd isos
 $(DEBIAN_CD_INFO): $(TEMP_BOOT_SCREENS) $(TEMP_CD_INFO_DIR)
-	(cd $(TEMP_CD_INFO_DIR); tar czf - .) > $@
+	# Clamp timestamps to be no newer than last changelog entry, see
+	# https://wiki.debian.org/ReproducibleBuilds/TimestampsInTarball
+	find $(TEMP_CD_INFO_DIR) -newermt "@$(SOURCE_DATE_EPOCH)" -print0 | xargs -0r touch --no-dereference --date="@$(SOURCE_DATE_EPOCH)"
+	# Create tarball with files sorted in a stable order, see
+	# https://wiki.debian.org/ReproducibleBuilds/FileOrderInTarballs
+	# and without timestamp in the gzip header, see
+	# https://wiki.debian.org/ReproducibleBuilds/TimestampsInGzipHeaders
+	( cd $(TEMP_CD_INFO_DIR) && find . -print0 | LC_ALL=C sort -z | GZIP=-n tar --no-recursion --null -T - -czf -) > $@
 	update-manifest $@ $(MANIFEST-DEBIAN_CD_INFO)
 
 # a directory full of files for netbooting
@@ -822,7 +829,14 @@ $(NETBOOT_TAR): $(TEMP_NETBOOT_DIR)
 	# Create an version info file.
 	echo 'Debian version:  $(DEBIAN_VERSION)' > $(TEMP_NETBOOT_DIR)/version.info
 	echo 'Installer build: $(BUILD_DATE)' >> $(TEMP_NETBOOT_DIR)/version.info
-	(cd $(TEMP_NETBOOT_DIR); tar czf - .) > $@
+	# Clamp timestamps to be no newer than last changelog entry, see
+	# https://wiki.debian.org/ReproducibleBuilds/TimestampsInTarball
+	find $(TEMP_NETBOOT_DIR) -newermt "@$(SOURCE_DATE_EPOCH)" -print0 | xargs -0r touch --no-dereference --date="@$(SOURCE_DATE_EPOCH)"
+	# Create tarball with files sorted in a stable order, see
+	# https://wiki.debian.org/ReproducibleBuilds/FileOrderInTarballs
+	# and without timestamp in the gzip header, see
+	# https://wiki.debian.org/ReproducibleBuilds/TimestampsInGzipHeaders
+	( cd $(TEMP_NETBOOT_DIR) && find . -print0 | LC_ALL=C sort -z | GZIP=-n tar --no-recursion --null -T - -czf -) > $@
 	update-manifest $@ $(MANIFEST-NETBOOT_TAR) $(UDEB_LISTS)
 
 $(TEMP_BOOT_SCREENS): arch_boot_screens
diff --git a/build/config/x86.cfg b/build/config/x86.cfg
index 3caadd2..b0fc9a2 100644
--- a/build/config/x86.cfg
+++ b/build/config/x86.cfg
@@ -332,6 +332,11 @@ arch_miniiso: x86_syslinux x86_grub_efi
 			| todos > $(TEMP_CD_TREE)/win32-loader.ini; \
 	fi
 
+	# Clamp timestamps to be no newer than last changelog entry, see
+	# https://wiki.debian.org/ReproducibleBuilds/TimestampsInTarball
+	find $(TEMP_CD_TREE) -newermt "$(SOURCE_DATE)" -print0 \
+	 | xargs -0r touch --no-dereference --date="$(SOURCE_DATE)"
+
 	if [ "$(GRUB_EFI)" = y ]; then \
 		xorriso -as mkisofs -r -J -b isolinux.bin -c boot.cat \
 			-no-emul-boot -boot-load-size 4 -boot-info-table \
diff --git a/debian/changelog b/debian/changelog
index 42aed37..09c8a02 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+debian-installer (20150422+kbsd8u2) jessie-kfreebsd; urgency=medium
+
+  * Improve reproducibility of debian-installer netboot images:
+(Closes: #805321)
+- clamp timestamps in the d-i ramdisk to be no later than
+  the most recent debian/changelog entry of this package
+  - raise makefs dependency on >= 20100306-5+kbsd8u1
+- clamp timestamps in the mini.iso similarly
+- clamp timestamps in the netboot tarball;  store files in a
+  stable order
+- clamp timestamps in the cd info tarball;  store files in a
+  stable order
+- clamp timestamps in the output debian-installer-images tarball;
+  store files in a stable order
+- disable timestamps in gzip output (e.g. initrd.gz and tarballs)
+
+ -- Steven Chamberlain   Tue, 10 Nov 2015 21:38:46 +
+
 debian-installer (20150422+kbsd8u1) jessie-kfreebsd; urgency=medium
 
   * Rebuild using udebs from the jessie-kfreebsd suite, also using
diff --git a/debian/control b/debian/control
index 100ca5a..6f4df5b 100644
--- a/debian/control
+++ b/debian/control
@@ -162,7 +162,7 @@ Build-Depends:
 #		architectures if SSL_CERTS has been set locally.
 	win32-loader (>= 0.7.2) [i386 amd64 kfreebsd-i386 kfreebsd-amd64 hurd-i386],
 #		

Bug#805321: debian-installer: builds unreproducible netboot images

[Steven Chamberlain]

Hi KiBi,

Many thanks for reviewing this.

Cyril Brulebois wrote:
> Please make sure not to depend on features which are not found in stable
> (I'm not entirely sure about oldstable at this point), which might hinder
> our ability to cherry-pick bits and pieces from master to jessie.

I think I could make that easier by splitting into smaller commits:

  * parts only needed for kfreebsd
  * parts more appropriate for stable, oldstable, etc.
  * parts only appropriate for sid (or just not use new GNU tar
features yet)

> > --- a/build/Makefile
> > +++ b/build/Makefile
> > @@ -56,7 +56,7 @@
> >  # Add to PATH so dpkg will always work, and so local programs will be 
> > found.
> >  PATH := util:$(PATH):/usr/sbin:/sbin
> >  EATMYDATA = $(shell which eatmydata 2>/dev/null)
> > -GZIP = $(shell which pigz gzip | head -1)
> > +GZIP = $(shell which pigz gzip | head -1) -n
> 
> I think I already added -n to a bunch of calls. Not sure whether adding
> it here once and for all would be better than adding it where it's
> missing though. Anyway, not my biggest question/comment/concern here.

Seems reasonable to factor out and put it here.  If we don't, someone
may add a new $GZIP call later, forget -n and make it unreproducible
again.

Although it is a macro here, GZIP is also the name of an environment
variable used by gzip (but not pigz?), which is likely confusing.  And
the later tar invocations call gzip (not pigz) in quite a few places
regardless of the GZIP macro contents;  those do look at the GZIP
environment variable though.

> I think those 3(.5) occurrences really should be factorized, especially
> given the logic is the same: replacing "cd foo && tar bar ." with more
> code. Somewhere under build/util would probably be suitable.

I agree.  It is a very common pattern in other Debian packages too, and
it often needs patching for reproducibility.

> > --- a/build/config/x86.cfg
> > +++ b/build/config/x86.cfg
> > @@ -332,6 +332,11 @@ arch_miniiso: x86_syslinux x86_grub_efi
> > | todos > $(TEMP_CD_TREE)/win32-loader.ini; \
> > fi
> >  
> > +   # Clamp timestamps to be no newer than last changelog entry, see
> > +   # https://wiki.debian.org/ReproducibleBuilds/TimestampsInTarball
> > +   find $(TEMP_CD_TREE) -newermt "$(SOURCE_DATE)" -print0 \
> > +| xargs -0r touch --no-dereference --date="$(SOURCE_DATE)"
> > +

> [...] above is using SOURCE_DATE, which is undefined as
> far as I can tell since SOURCE_DATE_EPOCH is what's getting defined.
> Maybe it should call the same new util (with different parameters since
> we only need touch here, and no tar call)?

That's a typo, and was buggy - it would touch all timestamps, not just
the ones necessary.  I may drop this part as I don't think it's needed
any more with the newer makefs, which will clamp the timestamps itself.

> Finally, not everything is built using debian/rules targets (with or
> without dpkg-buildpackage). One should still be able to just run e.g.:
> “make -C build build_netboot-gtk USE_UDEBS_FROM=sid”
> 
> See BUILD_DATE handling, for example. We end up with a default setting
> through:
> |build/config/common:BUILD_DATE ?= $(shell date -u '+%Y%m%d-%H:%M')

That would not be reproducible, then!  (it is embedded in the tarballs)

> [ Please note that calling $(shell dpkg-parsechangelog -SDate) to set
> SOURCE_DATE_EPOCH there would only work when building from the toplevel
> directory, and not from the build/ subdirectory for example. ]

If it's anyway not going to be reproducible, we could similarly fall
back to a SOURCE_DATE_EPOCH ?= now;  or the caller could choose to
provide them.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


signature.asc
Description: Digital signature

Bug#805321: debian-installer: builds unreproducible netboot images

[Cyril Brulebois]

(Trimming a lot because running out of time.)

Steven Chamberlain  (2015-11-17):
> Seems reasonable to factor out and put it here.  If we don't, someone
> may add a new $GZIP call later, forget -n and make it unreproducible
> again.
> 
> Although it is a macro here, GZIP is also the name of an environment
> variable used by gzip (but not pigz?), which is likely confusing.  And
> the later tar invocations call gzip (not pigz) in quite a few places
> regardless of the GZIP macro contents;  those do look at the GZIP
> environment variable though.

Feel free to rename stuff as needed.

> > Finally, not everything is built using debian/rules targets (with or
> > without dpkg-buildpackage). One should still be able to just run e.g.:
> > “make -C build build_netboot-gtk USE_UDEBS_FROM=sid”
> > 
> > See BUILD_DATE handling, for example. We end up with a default setting
> > through:
> > |build/config/common:BUILD_DATE ?= $(shell date -u '+%Y%m%d-%H:%M')
> 
> That would not be reproducible, then!  (it is embedded in the tarballs)

Sure. I just meant to point out that even if BUILD_DATE is set through
debian/rules, a default value is set for users not building through
debian/rules, meaning BUILD_DATE gets set in the end, instead of just
being empty.

> > [ Please note that calling $(shell dpkg-parsechangelog -SDate) to set
> > SOURCE_DATE_EPOCH there would only work when building from the toplevel
> > directory, and not from the build/ subdirectory for example. ]
> 
> If it's anyway not going to be reproducible, we could similarly fall
> back to a SOURCE_DATE_EPOCH ?= now;  or the caller could choose to
> provide them.

Mraw,
KiBi.


signature.asc
Description: Digital signature