Build path

Some tools will record the path of the source files in their output.

Most compilers write the path of the source in the debug information in order to locate the associated source files.

Some tools have flags (like gzip’s -n) that prevent them from writing the path in their output. Proposing patches to add a similar feature in other tools might be sufficiently easy.

In most cases however, post-processing is required to either remove the build path or to normalize it to a predefined value.

For the specific case of debug symbols, there is currently no good post-processing tool to change them to a pre-determined value¹. A work-around is to define the build path as part of the build environment, however reprotest changes it so this makes it harder to assess reproducibility. Certain compiler flags can work around the issue:

• -fdebug-prefix-map=OLD=NEW can strip directory prefixes from debug info. (available in all GCC versions, Clang 3.8)
• -fmacro-prefix-map=OLD=NEW is similar to -fdebug-prefix-map, but addresses unreproducibility due to the use of __FILE__ macros in assert calls for example. (available since GCC 8 and Clang 10)
• -ffile-prefix-map=OLD=NEW is an alias for both -fdebug-prefix-map and -fmacro-prefix-map. (available since GCC 8 and Clang 10)

With dpkg >= 1.19.1, first shipped with Debian Buster, packages can enable the -ffile-prefix-map=OLD=NEW flag by adding the fixfilepath build flag to their debian/rules file. For example:

export DEB_BUILD_MAINT_OPTIONS = hardening=+all reproducible=+fixfilepath

Note that some packages save the compile options in the build output.

This is also problematic because this will also apply to intermediate source files that other tools generate. As they typically will use random file names, having a fixed build path is not enough in such cases.

A build-path-prefix-map specification is in discussion with the GCC developers.

← Documentation index

Documentation home

Introduction

• Definitions
• History
• Buy-in
• Making plans
• Academic publications

Achieve deterministic builds

• Commandments of reproducible builds
• Variations in the build environment
• SOURCE_DATE_EPOCH
• Deterministic build systems
• Volatile inputs can disappear
• Stable order for inputs
• Stripping of unreproducible information
• Value initialization
• Version information
• Timestamps
• Timezones
• Locales
• Archive metadata
• Stable order for outputs
• Randomness
• Build path
• System images
• JVM

Define a build environment

• What's in a build environment?
• Recording the build environment
• Definition strategies
• Proprietary operating systems

Distribute the environment

• Building from source
• Virtual machine drivers
• Formal definition

Verification

• Cryptographic checksums
• Embedded signatures
• Sharing certifications

Specifications

• SOURCE_DATE_EPOCH
• BUILD_PATH_PREFIX_MAP (WIP)