2022-11-21 17:40:18 +00:00
|
|
|
---
|
|
|
|
name: Unreproducible package
|
|
|
|
about: A package that does not produce a bit-by-bit reproducible result each time it is built
|
|
|
|
title: ''
|
2023-01-11 07:51:40 +00:00
|
|
|
labels: [ '0.kind: enhancement', '6.topic: reproducible builds' ]
|
2022-11-21 17:40:18 +00:00
|
|
|
assignees: ''
|
|
|
|
|
|
|
|
---
|
|
|
|
|
2023-11-16 04:20:00 +00:00
|
|
|
<!--
|
|
|
|
Hello dear reporter,
|
2022-11-21 17:40:18 +00:00
|
|
|
|
2023-11-16 04:20:00 +00:00
|
|
|
Thank you for bringing attention to this issue. Your insights are valuable to
|
|
|
|
us, and we appreciate the time you took to document the problem.
|
|
|
|
|
|
|
|
I wanted to kindly point out that in this issue template, it would be beneficial
|
|
|
|
to replace the placeholder `<package>` with the actual, canonical name of the
|
|
|
|
package you're reporting the issue for. Doing so will provide better context and
|
|
|
|
facilitate quicker troubleshooting for anyone who reads this issue in the
|
|
|
|
future.
|
|
|
|
|
|
|
|
Best regards
|
|
|
|
-->
|
|
|
|
|
|
|
|
Building this package multiple times does not yield bit-by-bit identical
|
|
|
|
results, complicating the detection of Continuous Integration (CI) breaches. For
|
|
|
|
more information on this issue, visit
|
|
|
|
[reproducible-builds.org](https://reproducible-builds.org/).
|
|
|
|
|
|
|
|
Fixing bit-by-bit reproducibility also has additional advantages, such as
|
|
|
|
avoiding hard-to-reproduce bugs, making content-addressed storage more effective
|
|
|
|
and reducing rebuilds in such systems.
|
2022-11-21 17:40:18 +00:00
|
|
|
|
|
|
|
### Steps To Reproduce
|
|
|
|
|
2023-11-16 04:20:00 +00:00
|
|
|
In the following steps, replace `<package>` with the canonical name of the
|
|
|
|
package.
|
|
|
|
|
|
|
|
#### 1. Build the package
|
|
|
|
|
|
|
|
This step will build the package. Specific arguments are passed to the command
|
|
|
|
to keep the build artifacts so we can compare them in case of differences.
|
|
|
|
|
|
|
|
Execute the following command:
|
|
|
|
|
2022-11-21 17:40:18 +00:00
|
|
|
```
|
2023-11-16 04:20:00 +00:00
|
|
|
nix-build '<nixpkgs>' -A <package> && nix-build '<nixpkgs>' -A <package> --check --keep-failed
|
2022-11-21 17:40:18 +00:00
|
|
|
```
|
|
|
|
|
2023-11-16 04:20:00 +00:00
|
|
|
Or using the new command line style:
|
|
|
|
|
|
|
|
```
|
|
|
|
nix build nixpkgs#<package> && nix build nixpkgs#<package> --rebuild --keep-failed
|
|
|
|
```
|
|
|
|
|
|
|
|
#### 2. Compare the build artifacts
|
|
|
|
|
|
|
|
If the previous command completes successfully, no differences were found and
|
|
|
|
there's nothing to do, builds are reproducible.
|
|
|
|
If it terminates with the error message `error: derivation '<X>' may not be
|
|
|
|
deterministic: output '<Y>' differs from '<Z>'`, use `diffoscope` to investigate
|
|
|
|
the discrepancies between the two build outputs. You may need to add the
|
|
|
|
`--exclude-directory-metadata recursive` option to ignore files and directories
|
|
|
|
metadata (*e.g. timestamp*) differences.
|
|
|
|
|
|
|
|
```
|
|
|
|
nix run nixpkgs#diffoscopeMinimal -- --exclude-directory-metadata recursive <Y> <Z>
|
|
|
|
```
|
|
|
|
|
|
|
|
#### 3. Examine the build log
|
|
|
|
|
|
|
|
To examine the build log, use:
|
|
|
|
|
|
|
|
```
|
|
|
|
nix-store --read-log $(nix-instantiate '<nixpkgs>' -A <package>)
|
|
|
|
```
|
2022-11-21 17:40:18 +00:00
|
|
|
|
2023-11-16 04:20:00 +00:00
|
|
|
Or with the new command line style:
|
2022-11-21 17:40:18 +00:00
|
|
|
|
|
|
|
```
|
2023-11-16 04:20:00 +00:00
|
|
|
nix log $(nix path-info --derivation nixpkgs#<package>)
|
2022-11-21 17:40:18 +00:00
|
|
|
```
|
|
|
|
|
|
|
|
### Additional context
|
|
|
|
|
2023-11-16 04:20:00 +00:00
|
|
|
(please share the relevant fragment of the diffoscope output here, and any
|
|
|
|
additional analysis you may have done)
|