| 17 May 2023 |
 delroth | so that might have been an unsandboxed build | 14:58:38 |
| delroth | https://github.com/NixOS/nix/issues/8165 | 14:59:05 |
| delroth | could be that when it's sandboxed properly the kernel actually builds reproducibly then... I forgot about this issue, and now I'm annoyed that it's still a problem and that I've possibly wasted several hours because of it again so I'm going to go do something else for a while | 15:00:44 |
 raitobezarius | I can try to reproduce | 15:01:10 |
| raitobezarius | What is your attr you're building? | 15:01:15 |
| raitobezarius | (on which rev?) | 15:01:17 |
| delroth | pkgs.linux on latest staging-next (which has the BTF fix) | 15:01:35 |
| raitobezarius | thx | 15:01:54 |
 @rnhmjoj:maxwell.ydns.eu | In reply to @delroth:delroth.net
could be that when it's sandboxed properly the kernel actually builds reproducibly then... I forgot about this issue, and now I'm annoyed that it's still a problem and that I've possibly wasted several hours because of it again so I'm going to go do something else for a while shouldn't it be reproducible by default? it's very surprising that there's a "reprodicible builds" project with a dozen linux distos on it, but not the kernel itself | 15:02:56 |
| delroth | of the two Linux distros that have CI on the Reproducible Builds infra, 0/2 have a reproducible Linux kernel | 15:05:22 |
| @rnhmjoj:maxwell.ydns.eu | In reply to @delroth:delroth.net
(it took 20min of 100% CPU time for diffoscope to generate this diff) https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/linux.html
looks like this CI machine wasn't as fast as yours | 15:10:32 |
| delroth | checking GUIX now, they don't have diffoscope outputs on their CI but they have NARs I can extract... | 15:11:31 |
| delroth | and every .ko.gz mismatches + System.map mismatch + bzImage mismatch | 15:12:26 |
| delroth | so might be the same BTF issue we've been having | 15:12:34 |
| delroth | anyway, the answer is that yes, there is a reproducible builds project with a dozen linux distros on it, but no, that doesn't mean the kernel builds reproducibly, in fact nobody seems to be able to at this point, and especially not "by default" :( | 15:15:54 |
| delroth | I suspect that Nix sandboxed might do the trick, the build-id diff in the VDSO should be entirely attributable to filename differences, and that shouldn't happen when sandboxed | 15:16:29 |
| delroth | (now, is it a good thing that we "hide" these sources of reproducibility with Nix? maybe, maybe not :) ) | 15:16:58 |
| delroth | * (now, is it a good thing that we "hide" these sources of unreproducibility with Nix? maybe, maybe not :) ) | 15:17:04 |
| @rnhmjoj:maxwell.ydns.eu | In reply to @delroth:delroth.net
anyway, the answer is that yes, there is a reproducible builds project with a dozen linux distros on it, but no, that doesn't mean the kernel builds reproducibly, in fact nobody seems to be able to at this point, and especially not "by default" :( but when NixOS briefly became 100% reproducible some time ago, was the kenrle included? | 15:18:25 |
| @rnhmjoj:maxwell.ydns.eu | * but when NixOS briefly became 100% reproducible some time ago, was the kernel included? | 15:18:37 |
| raitobezarius | necessarily I believe | 15:19:04 |
| @rnhmjoj:maxwell.ydns.eu | so, the kernel devs messed up? | 15:20:51 |
 raboof | In reply to @rnhmjoj:maxwell.ydns.eu
but when NixOS briefly became 100% reproducible some time ago, was the kernel included? yes, the kernel has been reproducible for a while (I think since https://github.com/NixOS/nixpkgs/pull/107625), the nondeterminism introduced by BTF was a recent thing | 15:22:24 |
| delroth | "recent" | 15:22:55 |
| raitobezarius | enabled recently | 15:23:27 |
| raboof | In reply to @rnhmjoj:maxwell.ydns.eu
so, the kernel devs messed up? I guess so - I'm not sure they aim for 'reproducible by default', though 'possibly reproducible' does seem to be a goal (https://docs.kernel.org/kbuild/reproducible-builds.html) | 15:24:55 |
| delroth | and https://docs.kernel.org/kbuild/reproducible-builds.html#absolute-filenames does imply it's a bug on their side, since they don't forward these flags when building the VDSO ELF | 15:31:31 |
| delroth | from the build log on my system: "'/build/tmp.x93KqkyjEg/.config' -> '/nix/store/cviv21h0qwd1pd0a7mhin7hadhwk4r9x-linux-config-6.1.28'" so yeah, was unsandboxed... | 15:41:44 |
| delroth | oh actually maybe not, I don't know where that temp path comes from, might be in the derivation | 15:43:23 |
| delroth | "export buildRoot=$(mktemp -d)" in manual-config.nix -- if somehow the buildRoot leaks into the VDSO ELF (and not just the sourceRoot, which would be expected) then that would be a randomized path anyway even when sandboxed | 15:45:41 |
