qemu: not reproducible

[raboof]

Building this package multiple times does not yield bit-by-bit identical results, complicating the detection of Continuous Integration (CI) breaches. For more information on this issue, visit reproducible-builds.org.

Fixing bit-by-bit reproducibility also has additional advantages, such as avoiding hard-to-reproduce bugs, making content-addressed storage more effective and reducing rebuilds in such systems.

Steps To Reproduce

I have not found the attribute path to this derivation yet, so this one is a bit tricky to reproduce. You can find the diffoscope output at https://reproducible.nixos.org/nixos-iso-gnome-runtime/diff/af85f93675b5aa979ab5b6ce51ca5ba1d9648cbafe7ff6413210d515efe931ff-11751594aeb34399c50edafcc0910034217e7f2bc74997c6859d31fed1b82b88.html , though.

Additional context

It is interesting to note that the unreproduciblity is in the docs, and this is the out of the derivation - perhaps the docs shouldn't be in the out in the first place?

Of course, it would still be nice for the docs to be reproducible as well.

To take one difference from the diff:

- VHDX.block_size·std:cmdoption·1·system/images.html#cmdoption-VHDX-arg-block_size
+ VHDX.block_size·std:cmdoption·1·system/qemu-block-drivers.html#cmdoption-VHDX-arg-block_size

It looks like maybe VHDX.block_size·std:cmdoption appears in both system/images.html and in system/qemu-block-drivers.html, and it is nondeterministic which one makes it into the index? If that's the problem then perhaps that collision should be removed?

---

Add a :+1: reaction to issues you find important.

[oliviacrain]

Your hunch seems correct. I believe the nondeterminism comes from this method used to merge parallel data structures. The output of that merge is used to generate the objects.inv file from our diff. This method doesn't handle duplicates at all, and it even contains the comment "XXX: check duplicates?" (lol, lmao). I'll write up an issue for the Sphinx folks once I have some more solid evidence.

[raboof]

I changed the title to qemu since while we encountered this problem with qemu-host-cpu-only, it seems like a general problem for all qemu variants.

Indeed system/images.html and in system/qemu-block-drivers.html both contain the same headings.

So there are three (maybe four?) things to improve here, either of which would fix the reproducibility of the Gnome ISO runtime closure:

• In qemu: avoid duplicating this documentation https://gitlab.com/qemu-project/qemu/-/issues/2190
• In sphinx: deterministically generate the index https://github.com/sphinx-doc/sphinx/issues/12001
• In nixpkgs: don't include docs in the out output of the qemu packages https://github.com/NixOS/nixpkgs/issues/290890
• In r13y: I'm sceptical if the r13y script is correctly inferring that qemu-host-cpu-only is a run-time dependency of the gnome iso, https://codeberg.org/raboof/nix-reproducible-builds-report/issues/4

[physics-enthusiast]

Only tangentially related, but we should probably also regenerate these binary blobs.