groonga icon indicating copy to clipboard operation
groonga copied to clipboard
verified publisher icon groonga

Groonga build is not reproducible

Open ottok opened this issue 5 years ago • 0 comments

Reproducible builds are important for software supply chain security. See https://reproducible-builds.org/

All packages in Debian are tested for reproducibility. Latest builds at https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/groonga.html shows Groonga is not reproducible.

Screenshot: image

This is most likely due to the Groonga build embedding the build path in the resulting binary.

Please consider not doing that.

I don't see why it would be useful for a build to know was it done in /opt/src/groonga/build-1 or /opt/src/groonga/build-2.

From: https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20200120/012028.html

I have no generalised advice to impart but I spent a little while on this today and managed to make src:mroonga almost reproducible using the following changes.

Firstly, I needed to prevent the ./configure options ending up in the binary for some kind of "--show-config" switch. This embedded the absolute build path; the CFLAGS contain -ffile-prefix-map with a value with the absolute build dir:

--- a/configure.ac
+++ b/configure.ac
@@ -1539,7 +1539,7 @@ GRN_DEFS="$GRN_DEFS -DGRN_DEFAULT_DOCUME
 GRN_DEFS="$GRN_DEFS -DGRN_DEFAULT_RELATIVE_DOCUMENT_ROOT=\\\"\"\$(GRN_DEFAULT_RELATIVE_DOCUMENT_ROOT)\"\\\""
 AC_SUBST(GRN_DEFS)
 CFLAGS="$CFLAGS $OPT_CFLAGS "
-AC_DEFINE_UNQUOTED(CONFIGURE_OPTIONS, "$ac_configure_args", "specified configure options")
+AC_DEFINE_UNQUOTED(CONFIGURE_OPTIONS, "$(echo $ac_configure_args | sed -e "s@$(pwd)@<builddir>@g")", "specified configure options")

 # For groonga.org
 AC_ARG_WITH(groonga-org-path,

§

Secondly, I needed to adjust the embedded version of nginx (!) to not also embed -ffile-prefix-map/CFLAGS as above. Note the use of $(dirname $(dirname …)) as it is the top-level build directory that was being embedded, not the current working directory at the time this code is being run:

--- a/vendor/nginx-1.17.7/auto/configure
+++ b/vendor/nginx-1.17.7/auto/configure
@@ -16,7 +16,7 @@ test -d $NGX_OBJS || mkdir -p $NGX_OBJS
 echo > $NGX_AUTO_HEADERS_H
 echo > $NGX_AUTOCONF_ERR

-echo "#define NGX_CONFIGURE \"$NGX_CONFIGURE\"" > $NGX_AUTO_CONFIG_H
+echo "#define NGX_CONFIGURE \"$(echo $NGX_CONFIGURE | sed -e "s@$(dirname $(dirname $(pwd)))@<builddir>@g")\"" > $NGX_AUTO_CONFIG_H

§

However, this is not complete as the ngx_http_groonga_module.o module includes an absolute path to its .c source file. I cannot seem to find how (it's not a -DFOO=BAR style assignment or FILE usage or …) despite poking for a little while.

Hope this gives you somewhere to start from — good luck. :)

Related issue: https://github.com/mroonga/mroonga/issues/298

ottok avatar Jan 27 '20 16:01 ottok