Building this package multiple times does not yield bit-by-bit identical
results, complicating the detection of Continuous Integration (CI) breaches. For
more information on this issue, visit
reproducible-builds.org.
Fixing bit-by-bit reproducibility also has additional advantages, such as
avoiding hard-to-reproduce bugs, making content-addressed storage more effective
and reducing rebuilds in such systems.
Steps To Reproduce
1. Build the package
This step will build the package. Specific arguments are passed to the command
to keep the build artifacts so we can compare them in case of differences.
Execute the following command:
nix-build '<nixpkgs>' -A samba && nix-build '<nixpkgs>' -A samba --check --keep-failed
If the previous command completes successfully, no differences were found and
there's nothing to do, builds are reproducible.
If it terminates with the error message error: derivation '<X>' may not be deterministic: output '<Y>' differs from '<Z>', use diffoscope to investigate
the discrepancies between the two build outputs. You may need to add the
--exclude-directory-metadata recursive option to ignore files and directories
metadata (e.g. timestamp) differences.
nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
3. Examine the build log
To examine the build log, use:
nix-store --read-log $(nix-instantiate '<nixpkgs>' -A samba)
Building this package multiple times does not yield bit-by-bit identical results, complicating the detection of Continuous Integration (CI) breaches. For more information on this issue, visit reproducible-builds.org.
Fixing bit-by-bit reproducibility also has additional advantages, such as avoiding hard-to-reproduce bugs, making content-addressed storage more effective and reducing rebuilds in such systems.
Steps To Reproduce
1. Build the package
This step will build the package. Specific arguments are passed to the command to keep the build artifacts so we can compare them in case of differences.
Execute the following command:
Or using the new command line style:
2. Compare the build artifacts
If the previous command completes successfully, no differences were found and there's nothing to do, builds are reproducible. If it terminates with the error message
error: derivation '<X>' may not be deterministic: output '<Y>' differs from '<Z>'
, usediffoscope
to investigate the discrepancies between the two build outputs. You may need to add the--exclude-directory-metadata recursive
option to ignore files and directories metadata (e.g. timestamp) differences.3. Examine the build log
To examine the build log, use:
Or with the new command line style:
Additional context
It seems some of the error messages in
samba/dcerpc/smbXsrv.cpython-311-x86_64-linux-gnu.so
refer to build-time memory addresses:It seems Arch linux is seeing the same thing: https://reproducible.archlinux.org/api/v0/builds/604350/diffoscope
Add a :+1: reaction to issues you find important.