Produce reproducible builds

[samuelkarp]

Go has long had issue with reproducible builds due to embedding build path information into the artifacts (see https://github.com/golang/go/issues/16860). Go 1.13 added -trimpath to strip that data, which should make reproducible builds easier.

Reproducible builds help users have confidence that the binaries match the source code.

Reproducible builds are a goal of Debian (and the existing amazon-ecr-credential-helper package fails to build reproducibly). They've also been asked for in https://github.com/awslabs/amazon-ecr-credential-helper/issues/184.

[samuelkarp]

https://github.com/golang/go/issues/33772 appears to still be an issue for Go 1.13 (see https://github.com/golang/go/issues/34326 for when the fix is backported).

[abitrolly]

Shellcode.

$ podman run --rm -t -w $(pwd) -v $(pwd):$(pwd):Z,ro \
      registry.salsa.debian.org/reproducible-builds/diffoscope gdnf520 gdnf521
...
│   The File Name Table (offset 0x1a):
│    Entry      Dir     Time    Size    Name
│    1  0       0       0       <autogenerated>
│ -  2  0       0       0       /snap/go/5759/src/internal/cpu/cpu.go
│ -  3  0       0       0       /snap/go/5759/src/internal/cpu/cpu_amd64.go
│ -  4  0       0       0       /snap/go/5759/src/internal/cpu/cpu_x86.go
│ +  2  0       0       0       /usr/lib/golang/src/internal/cpu/cpu.go
│ +  3  0       0       0       /usr/lib/golang/src/internal/cpu/cpu_amd64.go
│ +  4  0       0       0       /usr/lib/golang/src/internal/cpu/cpu_x86.go
│  
...
$ go version gdnf520
gdnf520: go1.14.3
$  dnf-go-gui git:(master) ✗ go version gdnf521
gdnf521: go1.14.2