New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gnupg22: reproducible build #87908
gnupg22: reproducible build #87908
Conversation
This replaces #78781 |
f6d05a5
to
7bd07c2
Compare
An (untested) alternative might be this patch: --- doc/mkdefsinc.c 2017-08-28 12:22:54.000000000 +0200
+++ doc/mkdefsinc.c.new 2020-05-15 22:54:13.974749616 +0200
@@ -109,7 +109,7 @@
for (; (file = *files); files++)
{
- if (!*file || !strcmp (file, ".") || !strcmp (file, ".."))
+ if (!*file || !strcmp (file, ".") || !strcmp (file, "..") || !strcmp (file, "defsincdate"))
continue;
if (stat (file, &sb))
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Built 7bd07c2d93639246e7ede2653f36884d5d87d045 on x86_64-linux
; here's the hash of the resulting store path, if anyone wants to compare for reproducibility:
emily@renko ~/s/nixpkgs ((7bd07c2d…))> nix build -f . gnupg22
emily@renko ~/s/nixpkgs ((7bd07c2d…))> ls -l result
lrwxrwxrwx 1 emily emily 56 May 15 23:08 result -> /nix/store/0rzxlgi329cy5fjldmqykqzxijghnbnf-gnupg-2.2.19
emily@renko ~/s/nixpkgs ((7bd07c2d…))> nix hash-path result
sha256-0OrnpALUxJlWUhB7AiFuSAlyORdCdT0xxZRZLX7VLpc=
@emilazy Same here. (built on NixOS stable). |
I also put this upstream for discussion: https://dev.gnupg.org/T4947 |
With some more investigation, this actually caused by nixpkgs/pkgs/tools/security/gnupg/22.nix Lines 40 to 42 in 84cf00f
doc\defsincdate being erased, as the modification time of doc\dirmngr.texi becomes more recent and hence the cdoc/defsincdateurrent date leadoc/defsincdateks into the build.This PR works only, because it updates doc\defsincdate after the patch phase(s) and a simple touch doc/defsincdate will do the trick while keeping the original timestamp provided from upstream, hence updated the PR.nix hash-path result should now return
for
|
Reproduced |
Which is correct and doesn't help. :) We got both fooled and simply computed the hash of the symlink. Quick confirmation:
So what actually needs verifying is
which I can confirm for two builds on different days and on different machines. |
Gah, I specifically worried about whether that might be the case but forgot to check... Thankfully, the hash of the actual tree seems to match as well:
|
GnuPG has a very peculiar way of fixing the date for the documentation. It relies on a timestamp in the file `doc/defsincdate`, which is by default generated by looking at the timestamp of the latest git commit. If building from a tarball, this file is empty and `mkdefsinc` will fall back to the timestamp of the newest source file, which is `doc/defsincdate`. Thus, the build date ends up in the documentation. Creating and populating `doc/defsincdate` with the the value of `SOURCE_DATE_EPOCH` provided by NixPkgs' stdEnv fixes this.
just touch to keep timestamp from upstream instead of forcing it to $SOURCE_DATE_EPOCH
e0c1fad
to
ecb6edb
Compare
@GrahamcOfBorg eval |
@fpletz @peti Do you think this can be merged? |
My preferrence is to go with the solution used by upstream, to be honest. |
@peti This would require that we set Currently (nixpkgs/master) we get:
Using the upstream patch without further adjustment would result into something like
So my preference is to either keep the simple edit to keep context: we patch a path in the source for the info file, which then triggers the make-rule for updating the timestamp file, leaking the build time into the info pages. |
ping @peti |
/marvin opt-in |
Hi! I'm an experimental bot. My goal is to guide this PR through its stages, hopefully ending with a merge. You can read up on the usage here. |
/status needs_reviewer |
@wamserma Trying to follow the discussion here, and I feel like I'm missing something based on your latest recommendation; it seems to me that you're suggesting relying on |
@srhb Is that correct, or am I misunderstanding? Slight misunderstanding. You are right about reproducibility in general, but we have a special setting here: There is a timestamp for the source in the file that is touched. This timestamp is delivered in the source tarball. To sum up (and answer you question). While the |
@wamserma Thank you for clarifying. I still have some questions -- please bear with me. 😄 As I understand your elaboration, upstream has patched the build such that
This "extracting of the desired timestamp" already happens automatically in the standard builder, through the Unfortunately, it seems the upstream patch is broken, as it complains that If my understanding is correct, then I propose we fix this upstream instead. |
fwiw,
... appears to do the trick with the recently released 2.2.21, which includes the source date patch, but again, please correct me if I'm wrong. :) |
I cannot confirm.
|
@wamserma I don't think "July" is wrong here -- the unpacked source indeed has sources that are from July, and that's what the build hook picks up. |
Superseded by #93976 |
For completeness: Debian has patched this issue quite a while ago, but somehow I never came across their patch. (They simply remove the defsincdate update from the Makefile). The Debian patch is referenced in #93937. |
GnuPG has a very peculiar way of fixing the date for the documentation.
It relies on a timestamp in the file
doc/defsincdate
, which is by defaultgenerated by looking at the timestamp of the latest git commit.
If building from a tarball, this file is empty and
mkdefsinc
will fallback to the timestamp of the newest source file, which is
doc/defsincdate
.Thus, the build date ends up in the documentation.
Creating and populating
doc/defsincdate
with the the value ofSOURCE_DATE_EPOCH
provided by NixPkgs' stdEnv fixes this.Motivation for this change
GnuPG build was not fully reproducible according to r13y.com
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)