make builds reproducible

[anarcat]

charybdis doesn't currently build "reproducibly", that is: repeated builds with the same source code and the same toolchain will yield different binaries.

reproducible builds are interesting because they allow users to audit the binaries shipped by the authors to ensure that they match the source code that supposedly implements the software.

this was detected as part of the reproducible build project in Debian, and is demonstrated here:

https://reproducible.debian.net/rb-pkg/unstable/amd64/charybdis.html

the following bug was filed in Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=768328

as mentionned above, the problem seems to be with the version.c.SH scripts that embed the build date into the build:

https://sources.debian.net/src/charybdis/3.4.2-5/src/version.c.SH/#L22

that could be useful for informative purposes, but it should be possible to override this to get a consistent date. a discussion in the libgpg-error package shows multiple solutions for this problem, ranging from accepting an environment variable:

--- a/configure.ac
+++ b/configure.ac
@@ -484,7 +484,11 @@ changequote([,])dnl
 BUILD_FILEVERSION="${BUILD_FILEVERSION}0,mym4_revision_dec"
 AC_SUBST(BUILD_FILEVERSION)

-BUILD_TIMESTAMP=`date -u +%Y-%m-%dT%H:%M+0000 2>/dev/null || date`
+if test "$EXTERNAL_BUILD_TIMESTAMP" = ''; then
+   BUILD_TIMESTAMP=`date -u +%Y-%m-%dT%H:%M+0000 2>/dev/null || date`
+else
+   BUILD_TIMESTAMP="$EXTERNAL_BUILD_TIMESTAMP"
+fi
 AC_SUBST(BUILD_TIMESTAMP)
 AC_DEFINE_UNQUOTED(BUILD_TIMESTAMP, "$BUILD_TIMESTAMP",
                    [The time this package was configured for a build])

.. to adding a configure flag (which was eventually accepted, as the problematic code was already in ./configure):

diff --git a/configure.ac b/configure.ac
index b32b751..c0435b0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -484,7 +484,13 @@ changequote([,])dnl
 BUILD_FILEVERSION="${BUILD_FILEVERSION}0,mym4_revision_dec"
 AC_SUBST(BUILD_FILEVERSION)

-BUILD_TIMESTAMP=`date -u +%Y-%m-%dT%H:%M+0000 2>/dev/null || date`
+
+AC_ARG_ENABLE([build-timestamp],
+              AC_HELP_STRING([--enable-build-timestamp],
+                             [set an explicit build timestamp for reproducibility.
+                              (default is the current time in ISO-8601 format)]),
+              [if test "$enableval" = "no"; then BUILD_TIMESTAMP="<none>"; else BUILD_TIMESTAMP="$enableval"; fi],
+              [BUILD_TIMESTAMP=`date -u +%Y-%m-%dT%H:%M+0000 2>/dev/null || date`] )
 AC_SUBST(BUILD_TIMESTAMP)
 AC_DEFINE_UNQUOTED(BUILD_TIMESTAMP, "$BUILD_TIMESTAMP",
                    [The time this package was configured for a build])

the former is probably the easiest fix for now. if there would be a generic variable in there that I could hijack, i could set that timestamp reliably in the debian package after.

see also https://wiki.debian.org/ReproducibleBuilds for more information about this effort in debian.

thanks for looking into this!

[anarcat]

so i took the former approach in #149 - but i think the best would be to strip away the build date completely. or maybe base it from the git commit date?

the platform bits (uname -a) were completely removed as they were not used.

at least allowing an override would allow the packages to be verifiable.