reproducible build

[andyli]

The executable built by obuild, as well as the obuild bootstrap executable, are not reproducible, according to openSUSE's report: https://bugzilla.opensuse.org/show_bug.cgi?id=1087961

Such effects have been observed in other packages when .o files were linked together in (random) filesystem order

I tested it with an Ubuntu 16.04 machine:

sudo apt install disorderfs ocaml-nox

# compile obuild normally
cd path/to/obuild
./bootstrap
mv dist dist-orig # rename dist such that it wouldn't be overwritten later

# create a filesystem where the directory listing order is reversed
cd ..
mkdir obuild-reverse
disorderfs --reverse-dirents=yes $(pwd)/obuild obuild-reverse

# compile obuild in such reversed filesystem
cd obuild-reverse
./bootstrap

# compare the output
cmp dist/build/obuild/obuild dist-orig/build/obuild/obuild

I've also compared the obuild.bootstrap executables in the two builds, they are also different from each other.

[UnixJunkie]

What would be a proper fix?
Should obuild sort the list of files prior to do anything, and not rely on the order given by the filesystem?

[andyli]

Exactly, sort all the linker inputs manually and it should be fine.

[UnixJunkie]

Looks like an easy patch.
I know you have hacked into obuild in the past.
Interested in submitting a patch?

[andyli]

I have been quite busy recently so I'm afraid I wouldn't have the time to do so soonish.

[UnixJunkie]

Personally, I have only sent cosmetic patches to obuild.
I don't even know if linking needs files in a special order like topologic sort or something.

But today I managed to triage all obuild issues. That will be my great open source contribution of the day. :)

[UnixJunkie]

this issue is important for security, it allows people to trust that the binary they use was indeed produced from the source code of the given version

[UnixJunkie]

debian also has a reproducible builds infrastructure in place