Some tools will record the path of the source files in their output.
Most compilers write the path of the source in the debug information in order to locate the associated source files.
Some tools have flags (like gzip’s
-n) that prevent them from writing
the path in their output. Proposing patches to add a similar feature in
other tools might be sufficiently easy.
In most cases however, post-processing is required to either remove the build path or to normalize it to a predefined value.
For the specific case of debug
symbols, there is currently no good
post-processing tool to
change them to a pre-determined value1. A work-around is to
define the build path as part of the build environment,
reprotest changes it so this makes it harder to assess reproducibility.
Certain compiler flags can work around the issue:
-fdebug-prefix-map=OLD=NEWcan strip directory prefixes from debug info. (available in all GCC versions, Clang 3.8)
-fmacro-prefix-map=OLD=NEWis similar to
-fdebug-prefix-map, but addresses irreproducibility due to the use of
assertcalls for example. (available since GCC 8 and Clang 10)
-ffile-prefix-map=OLD=NEWis an alias for both
-fmacro-prefix-map. (available since GCC 8 and Clang 10)
With dpkg >= 1.19.1, first shipped with Debian Buster, packages can enable the
-ffile-prefix-map=OLD=NEW flag by adding the
flag to their
file. For example:
export DEB_BUILD_MAINT_OPTIONS = hardening=+all reproducible=+fixfilepath
Note that some packages save the compile options in the build output.
This is also problematic because this will also apply to intermediate source files that other tools generate. As they typically will use random file names, having a fixed build path is not enough in such cases.
A build-path-prefix-map specification is in discussion with the GCC developers.
Achieve deterministic builds
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Value initialization
- Version information
- Archive metadata
- Stable order for outputs
- Build path
- System images
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
Distribute the environment
Follow us on Twitter @ReproBuilds & Reddit and please consider making a donation. Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. Patches welcome via our Git repository (instructions) or via our mailing list.