Builds are not reproducible

[smortex]

This is a meta-issue to track work on improving openvox-agent packages build reproducibility.

Rationale

Puppetlabs packages relied on internal resources to build packages, so it was not possible for the community to fully audit the build process.

Now that we have our own tooling for building packages and anybody can check how packages are built, we can go further and make it possible to check that packages which have been built with these tools have not been altered by ensuring builds are reproducible.

How to check for reproducibility

Basically you build the package twice and check if the generated artifacts are different.

For examples, for Debian packages:

root@localhost openvox-agent # bundle exec rake 'vox:build[openvox-agent,debian-12-amd64]'
root@localhost openvox-agent # mv output/deb/debian12/openvox8 output/deb/debian12/openvox8-first
root@localhost openvox-agent # bundle exec rake 'vox:build[openvox-agent,debian-12-amd64]'
root@localhost openvox-agent # mv output/deb/debian12/openvox8 output/deb/debian12/openvox8-second
root@localhost openvox-agent # ls -l output/deb/debian12/openvox8-first output/deb/debian12/openvox8-second

The generated files in output/deb/debian12/openvox8-first and output/deb/debian12/openvox8-second can be further checked, e.g.:

root@localhost openvox8-first # ls
openvox-agent_8.11.0.2.g0ea7f7d4f-1+debian12_amd64.deb
openvox-agent-dbgsym_8.11.0.2.g0ea7f7d4f-1+debian12_amd64.deb
root@localhost openvox8-first # ar x openvox-agent_8.11.0.2.g0ea7f7d4f-1+debian12_amd64.deb
root@localhost openvox8-first # ls
control.tar.gz
data.tar.gz
debian-binary
openvox-agent_8.11.0.2.g0ea7f7d4f-1+debian12_amd64.deb
openvox-agent-dbgsym_8.11.0.2.g0ea7f7d4f-1+debian12_amd64.deb
root@localhost openvox8-first # tar zxf control.tar.gz md5sums
root@localhost openvox8-first # # Do the same with the other build
root@localhost openvox8-first # diff md5sums ../openvox8-second/md5sums

Scope

For now, I (@smortex) work on the Debian 12 packages only. Issues are likely to be similar on different targets but you are encouraged to test your platform and help with reproducibility issues resolution.

Current issues

diff -u output/deb/debian12/openvox8-first/control/md5sums output/deb/debian12/openvox8-second/control/md5sums
--- output/deb/debian12/openvox8-first/control/md5sums	2025-01-20 09:04:30.000000000 -1000
+++ output/deb/debian12/openvox8-second/control/md5sums	2025-01-20 09:09:11.000000000 -1000
@@ -1152,7 +1152,7 @@
 68461ca5187cd2c6af08786467085f2b  opt/puppetlabs/puppet/lib/ruby/3.2.0/rdoc/generator/template/darkfish/images/delete.png
 9f1ca0cb69861e19aacb41d097adc081  opt/puppetlabs/puppet/lib/ruby/3.2.0/rdoc/generator/template/darkfish/images/find.png
 c33734a1bf58bec328ffa27872e96ae1  opt/puppetlabs/puppet/lib/ruby/3.2.0/rdoc/generator/template/darkfish/images/loadingAnimation.gif
-e43b44a125b6477778c04ac15d64eb6d  opt/puppetlabs/puppet/lib/ruby/3.2.0/rdoc/generator/template/darkfish/images/macFFBgHack.png
+9eeca4fdc05ba8b720cd02439669ccd3  opt/puppetlabs/puppet/lib/ruby/3.2.0/rdoc/generator/template/darkfish/images/macFFBgHack.png
 19b56ff7a1b8d655927e18694d7c725a  opt/puppetlabs/puppet/lib/ruby/3.2.0/rdoc/generator/template/darkfish/images/package.png
 424f3392919bdaa1113f921513af55b9  opt/puppetlabs/puppet/lib/ruby/3.2.0/rdoc/generator/template/darkfish/images/page_green.png
 0da66bdb013f9a9d12ce7219e642bc25  opt/puppetlabs/puppet/lib/ruby/3.2.0/rdoc/generator/template/darkfish/images/page_white_text.png
@@ -1757,7 +1757,7 @@
 b491c463b5ecb43b97b8c8cb367553b4  opt/puppetlabs/puppet/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/concern/logging.rb
 4a395b385f0838f40f85b2f48dd992bf  opt/puppetlabs/puppet/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/concern/obligation.rb
 dd84bb744acb9579aaa7b59ab2be6a64  opt/puppetlabs/puppet/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/concern/observable.rb
-4609cf69d03277d2e1aa402b28253da6  opt/puppetlabs/puppet/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/concurrent_ruby.jar
+a202f627f8e039c150ae774463fe9ed6  opt/puppetlabs/puppet/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/concurrent_ruby.jar
 bac12a44019e1cdf5db0f3880c89b569  opt/puppetlabs/puppet/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/configuration.rb
 b7a74358145b14a427db20faf106100c  opt/puppetlabs/puppet/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/constants.rb
 88e6ffca1b0b210892399df6cccfb6c4  opt/puppetlabs/puppet/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/dataflow.rb
@@ -3590,7 +3590,7 @@
 c324a7f34b94044f8d38eabff159de62  opt/puppetlabs/puppet/lib/ruby/vendor_gems/cache/locale-2.1.4.gem
 06f0ae43e84ec7b9357f4095f8417cd5  opt/puppetlabs/puppet/lib/ruby/vendor_gems/cache/multi_json-1.15.0.gem
 bd9b5fc3bfba641766817760cc8b58e9  opt/puppetlabs/puppet/lib/ruby/vendor_gems/cache/optimist-3.1.0.gem
-01c866b01654fe1dfb8d6685a7d6da3b  opt/puppetlabs/puppet/lib/ruby/vendor_gems/cache/puppet-resource_api-1.9.0.gem
+c370e9c7d80cbbcac71ae2e1499a48f8  opt/puppetlabs/puppet/lib/ruby/vendor_gems/cache/puppet-resource_api-1.9.0.gem
 6a48b02b5d7109331afa8bd9d55a802e  opt/puppetlabs/puppet/lib/ruby/vendor_gems/cache/scanf-1.0.0.gem
 0042f4e83fbf7435f4425070d81efd9e  opt/puppetlabs/puppet/lib/ruby/vendor_gems/cache/semantic_puppet-1.1.0.gem
 514c3d1db7a955fe793fc0cb149c164f  opt/puppetlabs/puppet/lib/ruby/vendor_gems/cache/text-1.3.1.gem
@@ -5264,7 +5264,7 @@
 b6e61f0c48a3cc163c197d92c199b335  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/highline-3.1.0/lib/highline/wrapper.rb
 952fd44d14cee87882239b707231609d  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/highline-3.1.0/site/.cvsignore
 09925c2f03fb37014180054ec989c4be  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/highline-3.1.0/site/highline.css
-277d99d27c26b8cb0fbaa5c11f4e0b8a  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/highline-3.1.0/site/images/logo.png
+e5b69aff5b339c6cea5ec692d200ade2  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/highline-3.1.0/site/images/logo.png
 56ca18811ccf396b7da731f0fac51480  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/highline-3.1.0/site/index.html
 6dbe3bfc4cd86ebf2eb6564f7b40c85d  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.4.0/CHANGELOG.md
 ce25d807e60e198ef91c57f397d6f351  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/hocon-1.4.0/HISTORY.md
@@ -5367,8 +5367,8 @@
 4325aa6dd25e64f57d8bfbd476e1522b  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/Rakefile
 38dafa53dd0984a59bf8d87f96f76301  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/doc/text/news.md
 a3462d8321218c53804b9f15564b4edb  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale.rb
-0142ce7c501a5ba3f8887eff29fbcc00  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale/data/languages.tab.gz
-1782ac9321de20b0b06890f252c696a9  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale/data/regions.tab.gz
+4e43910c1dc6c6f789c8e090cb6c79bc  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale/data/languages.tab.gz
+b068975a895673f2fd707e3748917770  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale/data/regions.tab.gz
 dad3c12667d06bc1f1c4f6f8d852ad4b  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale/driver.rb
 8e56d4d397d88b1ef9b30343ebff8ac2  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale/driver/cgi.rb
 ed8f2c956ece000c911b85ed0636f076  opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale/driver/env.rb
@@ -8537,31 +8537,31 @@
 59e4ab5870b23aa1287c423afe1a6434  opt/puppetlabs/puppet/share/man/man3/libcurl.3
 c7089bab11720e9c9c17962a68c528ff  opt/puppetlabs/puppet/share/man/man3/libexslt.3
 62dd375a14e80e3759e0df4dd79e04bd  opt/puppetlabs/puppet/share/man/man3/libxslt.3
-0acf46b17ddf3149a28a2b99ac3648d8  opt/puppetlabs/puppet/share/man/man5/puppet.conf.5.gz
+630aeec6f51a0093e6a6c4c6b9f97ca8  opt/puppetlabs/puppet/share/man/man5/puppet.conf.5.gz
 b32156cf03256a86119b634d7f0509fa  opt/puppetlabs/puppet/share/man/man8/dmidecode.8
-090f59a987c96db3931d5907a69a2459  opt/puppetlabs/puppet/share/man/man8/facter.8.gz
-16dca83540cdabbd0a9f9b226d210155  opt/puppetlabs/puppet/share/man/man8/puppet-agent.8.gz
-0ff108b9027a22d3d530fc7ab02af0dd  opt/puppetlabs/puppet/share/man/man8/puppet-apply.8.gz
-9037d9d4276f6ccaa91bfb910a2a8657  opt/puppetlabs/puppet/share/man/man8/puppet-catalog.8.gz
-e50b52c9da90864a6bd32485cfa3998d  opt/puppetlabs/puppet/share/man/man8/puppet-config.8.gz
-19860f24f188b7e20c531c2a8f8c8053  opt/puppetlabs/puppet/share/man/man8/puppet-describe.8.gz
-9e6520dea178d1b293b68216d2a9b4ee  opt/puppetlabs/puppet/share/man/man8/puppet-device.8.gz
-2827fc6835992974b99047a1f1a968f1  opt/puppetlabs/puppet/share/man/man8/puppet-doc.8.gz
-ef7f355080bfecee4d1f367f7075c5f4  opt/puppetlabs/puppet/share/man/man8/puppet-epp.8.gz
-936a622bd67e66171c9d4b4d0d2bf143  opt/puppetlabs/puppet/share/man/man8/puppet-facts.8.gz
-18890074522e073b804b79ca4fb63dd2  opt/puppetlabs/puppet/share/man/man8/puppet-filebucket.8.gz
-cccee01cabc9528ada3b01e16b70cabc  opt/puppetlabs/puppet/share/man/man8/puppet-generate.8.gz
-eaca6dce50f56f48dc771c1d8b1ef95e  opt/puppetlabs/puppet/share/man/man8/puppet-help.8.gz
-3370278f5e1ec22729aae36f9bce44ed  opt/puppetlabs/puppet/share/man/man8/puppet-lookup.8.gz
-4981b8012444610d3e52da3d8abc5c63  opt/puppetlabs/puppet/share/man/man8/puppet-module.8.gz
-d9d3a45ab19308401da9825445acbded  opt/puppetlabs/puppet/share/man/man8/puppet-node.8.gz
-8c41b7086252a5082261052bc49201a5  opt/puppetlabs/puppet/share/man/man8/puppet-parser.8.gz
-d3f8a3cae1233025d498c7589a7751b2  opt/puppetlabs/puppet/share/man/man8/puppet-plugin.8.gz
-fd527f99b5129fe90b126ce7155dd4a3  opt/puppetlabs/puppet/share/man/man8/puppet-report.8.gz
-60605b8396f4313f16181ffbbe338769  opt/puppetlabs/puppet/share/man/man8/puppet-resource.8.gz
-4d325304430f29947d43810bd94b5508  opt/puppetlabs/puppet/share/man/man8/puppet-script.8.gz
-db3e851dd4fe317a1ede75b8bb46ae86  opt/puppetlabs/puppet/share/man/man8/puppet-ssl.8.gz
-87f5b74aeb3fc93ea5636abec6f4e984  opt/puppetlabs/puppet/share/man/man8/puppet.8.gz
+aaa58dcc2b307c082f81dcf3e59eeca8  opt/puppetlabs/puppet/share/man/man8/facter.8.gz
+045ed152d6f49ed2848564a16977a433  opt/puppetlabs/puppet/share/man/man8/puppet-agent.8.gz
+af134438aae1d6ca807d8b36a0c1ef20  opt/puppetlabs/puppet/share/man/man8/puppet-apply.8.gz
+65fa61d844b1eb9a29156c7384c8d493  opt/puppetlabs/puppet/share/man/man8/puppet-catalog.8.gz
+c60068042e38e8067f4e43904a8d3e5c  opt/puppetlabs/puppet/share/man/man8/puppet-config.8.gz
+ffe85ce37ed6b53771eb9035a43725d8  opt/puppetlabs/puppet/share/man/man8/puppet-describe.8.gz
+469a9f31af05097bb362bc7dbdfea165  opt/puppetlabs/puppet/share/man/man8/puppet-device.8.gz
+3f81a2e4799528f7cf383701dbde9796  opt/puppetlabs/puppet/share/man/man8/puppet-doc.8.gz
+0235c2962a1133626c674ca6dbabe170  opt/puppetlabs/puppet/share/man/man8/puppet-epp.8.gz
+8bdfb01f7b01427618a5920fa6671c99  opt/puppetlabs/puppet/share/man/man8/puppet-facts.8.gz
+51ca48c256b02614427ec059a9ceb7f3  opt/puppetlabs/puppet/share/man/man8/puppet-filebucket.8.gz
+300dc0bf7d9aa798a0d03b0a70448fe6  opt/puppetlabs/puppet/share/man/man8/puppet-generate.8.gz
+949aabcbe9458008e219f1d34d606dca  opt/puppetlabs/puppet/share/man/man8/puppet-help.8.gz
+697880f54c7dc32ccf33ff55af71d763  opt/puppetlabs/puppet/share/man/man8/puppet-lookup.8.gz
+a22fbba1d44bc1fe8a00316601c238a0  opt/puppetlabs/puppet/share/man/man8/puppet-module.8.gz
+14df3a941a046a4423f5f28c365e5ab7  opt/puppetlabs/puppet/share/man/man8/puppet-node.8.gz
+c07c3dda76ae6fb8686b8e628af3fba0  opt/puppetlabs/puppet/share/man/man8/puppet-parser.8.gz
+e9c25d4860d2627c3f439bf9d7016c0b  opt/puppetlabs/puppet/share/man/man8/puppet-plugin.8.gz
+54baf3eaf146b268fe038f56ddbf27cb  opt/puppetlabs/puppet/share/man/man8/puppet-report.8.gz
+b67ea26b2ce39bd1c313d2324f688842  opt/puppetlabs/puppet/share/man/man8/puppet-resource.8.gz
+b9378710bd08f4dc0f6dfee650c68f3c  opt/puppetlabs/puppet/share/man/man8/puppet-script.8.gz
+84ff74ed41c3fb25f6d0ee2075cc2510  opt/puppetlabs/puppet/share/man/man8/puppet-ssl.8.gz
+7b84ac6e91d256e9df1a1086c215cee4  opt/puppetlabs/puppet/share/man/man8/puppet.8.gz
 08f9e96c47d5ef91445eb6d6d596d0c7  opt/puppetlabs/puppet/share/vim/vimfiles/ftdetect/augeas.vim
 f39e0f5373313ec4470a989cc5a57b13  opt/puppetlabs/puppet/share/vim/vimfiles/syntax/augeas.vim
 ce619aff2dbcce9c8279d7f0330acfa6  opt/puppetlabs/puppet/ssl/cert.pem
@@ -8956,4 +8956,4 @@
 834374ee668df553df94fcf4e4b086ca  opt/puppetlabs/puppet/vendor_modules/zone_core/spec/unit/type/zone_spec.rb
 66f635ff74a548ef0ca441469b8f6bd8  opt/puppetlabs/pxp-agent/modules/pxp-module-puppet
 50c8f1587595cd91fc6084bddb3d5042  usr/share/doc/openvox-agent/bill-of-materials
-413badef322db641626a0f381097ee3b  usr/share/doc/openvox-agent/changelog.Debian.gz
+6b91a33721c307b17fb0aebd10e01b59  usr/share/doc/openvox-agent/changelog.Debian.gz

WIP / Related PRs

• Make build reproducible #4
  Make builds reproducible vanagon#2
  • opt/puppetlabs/puppet/lib/ruby/vendor_gems/cache/puppet-resource_api-1.9.0.gem (current date affect build)
  • usr/share/doc/openvox-agent/changelog.Debian.gz (current date used in the generated changelog entry)
• Files changed by dh_strip_nondeterminism in a non reproducible way (it did not failed the second day I worked on this. I probably messed something on my side)
  • opt/puppetlabs/puppet/lib/ruby/3.2.0/rdoc/generator/template/darkfish/images/macFFBgHack.png (timestamp in image)
  • opt/puppetlabs/puppet/lib/ruby/gems/3.2.0/gems/concurrent-ruby-1.2.3/lib/concurrent-ruby/concurrent/concurrent_ruby.jar (needs further inspection)
  • opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/highline-3.1.0/site/images/logo.png (a few bytes different in headers, more inspection needed)
  • opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale/data/languages.tab.gz (gzip timestamp in header)
  • opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/locale-2.1.4/lib/locale/data/regions.tab.gz (gzip timestamp in header)
• Make compressed man pages reproducible facter#1
  • opt/puppetlabs/puppet/share/man/man8/facter.8.gz (gzip timestamp in header)
• Make compressed man pages reproducible puppet#10
  • opt/puppetlabs/puppet/share/man/man8/puppet*.8.gz (gzip timestamp in header)

[smortex]

It looks like the dh_perl helper does not support the -X / --exclude flag than debhelpers can optionally support. Since we only ship a few perl files in Puppet, and these files are third party ones, I think it is safer to just skip the dh_perl action.

I added a commit that implement this in my branch in the vanagon project.

I updated the test branch in the openvox-agent project to point to this commit, and generated packages for various versions of Debian amd64. You can try to generate these packages with these commands:

cd /tmp
git clone https://github.com/OpenVoxProject/openvox-agent # my clone does not have the required tags
cd openvox-agent
git remote add smortex https://github.com/smortex/openvox-agent
git fetch smortex
git checkout 287c1a3845347650c813a6346a82adeee53c1581 # You must be on that exact commit!
bundle config path /tmp/do-not-mess-up-with-system
bundle install
bundle exec rake 'vox:build[openvox-agent,debian-12-amd64]' # Adjust here for a different target

If you want to use Vagrant:

# To generate packages and see their md5sum:
# vagrant up --provision
Vagrant.configure("2") do |config|
  config.vm.box = "debian/bookworm64"

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "2048"
  end

  config.vm.provision "shell", inline: <<-SHELL
    apt-get update
    apt-get install -y git ruby-bundler build-essential ruby-dev libyaml-dev docker.io
    cd /tmp
    git clone https://github.com/OpenVoxProject/openvox-agent # my clone does not have the required tags
    cd openvox-agent
    git remote add smortex https://github.com/smortex/openvox-agent
    git fetch smortex
    git checkout 287c1a3845347650c813a6346a82adeee53c1581 # You must be on that exact commit!
    bundle config path /tmp/do-not-mess-up-with-system
    bundle install
    bundle exec rake 'vox:build[openvox-agent,debian-12-amd64]' # Adjust here for a different target
    md5sum /tmp/openvox-agent/output/deb/debian12/openvox8/*.deb
  SHELL
end

Here are the checksum of the files I built on my test machines:

da3717198d322a5837f5cfef18874d57  output/deb/debian10/openvox8/openvox-agent-dbgsym_8.11.0.9.g287c1a384-1+debian10_amd64.deb
105ede06e61c601ceb0385038e024dfb  output/deb/debian10/openvox8/openvox-agent_8.11.0.9.g287c1a384-1+debian10_amd64.deb
4a25f04c45b30ebe1556a38398642ef9  output/deb/debian11/openvox8/openvox-agent-dbgsym_8.11.0.9.g287c1a384-1+debian11_amd64.deb
a0355b7e3e12735d939855d2797c7648  output/deb/debian11/openvox8/openvox-agent_8.11.0.9.g287c1a384-1+debian11_amd64.deb
c58be78ec47277b170233fcc08e20d9c  output/deb/debian12/openvox8/openvox-agent-dbgsym_8.11.0.9.g287c1a384-1+debian12_amd64.deb
43f0f7f44e8ffa09196be37af75d1573  output/deb/debian12/openvox8/openvox-agent_8.11.0.9.g287c1a384-1+debian12_amd64.deb

If you have different cheksum, I uploaded my packages here for inspection:
https://agrajag.blogreen.org/~romain/openvox-agent-reproducible-builds/

Please report success / failure with a thumps-up 👍 or thumbs-down 👎 emoji. Thank you 😍 !

[anarcat]

/cc @jcharaoui

[bootc]

I just wanted to make sure that people working on reproducibility know about the Reproducible Builds project and, more specifically, Diffoscope. https://try.diffoscope.org/ makes using diffoscope really easy for smallish packages, and can dig into really gory detail about where differences come about.

[bootc]

I reproduced @smortex’s packages successfully on my Mac! Nice work!

I did run into one reproducibility issue because I had adjusted my Git config (core.abbrev=12). Having discussed this with @smortex ill be creating an issue against vanagon to get this looked into.