openSUSE:Reproducible openSUSE/Part2

This is documentation Part 2 of Bernhard's R-B-OS - about making enough packages reproducible for a small DVD with some graphical UI. It is sponsored by a grant from the nice people at the NLNet foundation.

package sources are collected in https://build.opensuse.org/project/show/home:bmwiedemann:reproducible:distribution:ring1 - They are also available at https://rb.zq1.de/RBOS/ along with the binaries

Note: building with pbuild is significantly slower here, because dependency resolution is implemented in pure perl and takes a minute to figure out what to build next.

How to build

Ensure you have enough disk space. The binaries need 460GB and the sources another 60GB. Plus builds need another 150GB in /var/tmp with the default build.sh setting of '--buildjobs 2' A full build needs 1-4 weeks.

zypper in osc qemu

Install the `build` tool from https://build.opensuse.org/package/show/home:bmwiedemann:reproducible:distribution:ring1/build (needed for emacs, colord and python-lxml) via

osc getbinaries home:bmwiedemann:reproducible:distribution:ring1 build standard x86_64
sudo rpm -U --force --oldpackage binaries/build-20241114-1.1.noarch.rpm

osc co home:bmwiedemann:reproducible:distribution:ring1 && cd $_
ln -s 000pbuildconf/_* .
sh 000pbuildconf/sha256sums.src
# => 6ac5cf0e1c129a15bf715312ac8c0598b9c655b414890b7d871621a7df4adff4
sh 000pbuildconf/build.sh
  pbuild is done:
  broken:    9
  succeeded: 3574
  failed:    17
  unresolvable: 8
  excluded:  193
# => f8ff03e17cfd9217db1756957794b791017f328ee8f0d35f7a38b37cbad283f1

How to run a VM

How to run a minimal VM built from this (login credentials are user=root pass=nots3cr3t ):

unrpm /path/to/altimagebuild-1*.rpm
qemu-kvm -drive format=raw,file=var/lib/altimagebuild-x86_64.img -m 1000 -serial stdio -vnc :9
# in VM:
# optional: recreate the dropped unreproducible rpm database
rpmkeys --import /usr/lib/rpm/gnupg/keys/*
zypper -n install --no-recommends $(grep -v gpg-pubkey- /.packages)

See also the guide about a graphical env in there.

Encountered issues/fixes

• https://github.com/mesonbuild/meson-python/issues/671 random tmpdir
• https://github.com/fedora-java/xmvn/pull/298 various
• https://github.com/Instagram/LibCST/pull/1213 rust
• https://bugzilla.opensuse.org/show_bug.cgi?id=1230856 xen/acpica
• https://bugzilla.opensuse.org/show_bug.cgi?id=1173396 xorg-x11-fonts/fonttosfnt
• https://git.enlightenment.org/enlightenment/efl/issues/41 parallelism => drop https://build.opensuse.org/request/show/1202479
• java-21-openjdk - used taskset 1 to avoid race-conditions
• https://build.opensuse.org/request/show/1204725 python312
• https://bugzilla.opensuse.org/show_bug.cgi?id=1228131 kf6-kirigami + qqc2-breeze-style6 + kf6-qqc2-desktop-style + qt6-declarative + qt6-multimedia + qt6-sensors + qt6-webengine + kirigami-addons6 race
• https://bugs.libcamera.org/show_bug.cgi?id=233 libcamera sig + date ; https://lists.libcamera.org/pipermail/libcamera-devel/2024-October/045731.html date
• https://github.com/pygraphviz/pygraphviz/pull/544 python-pygraphviz/python-sphinx-gallery benchmark
• https://build.opensuse.org/request/show/1207950 drop libkolabxml from kdepim-runtime because of https://bugzilla.opensuse.org/show_bug.cgi?id=1060506
• https://gitlab.gnome.org/GNOME/seahorse/-/issues/394 seahorse parallelism/race
• https://bugzilla.opensuse.org/show_bug.cgi?id=1231368 efivar CPU
• https://build.opensuse.org/request/show/1206278 gsl nocheck
• https://build.opensuse.org/request/show/1192626 ca-certificates-mozilla-prebuilt date
• https://github.com/sphinx-doc/sphinx/issues/6714 python312:doc + kernel-source:doc race
• https://build.opensuse.org/request/show/1204725 python312:doc .pyc files in doc
• https://build.opensuse.org/package/show/home:bmwiedemann:reproducible:distribution:ring1/python-numpy .pyc
• fix .jar mtimes with strip-nondeterminism in antlr, rhino, slf4j, sac, xml-commons-apis, uwsgi, tigervnc, jflex, brltty, xalan-j2, protobuf
• schily https://codeberg.org/schilytools/schilytools/pulls/81 uname -r
• lsof https://bugzilla.opensuse.org/show_bug.cgi?id=1232425 uname -r
• presage https://bugzilla.opensuse.org/show_bug.cgi?id=1234897 corruption bug
• qt6-webengine + libqt5-qtwebengine https://bugzilla.opensuse.org/show_bug.cgi?id=1236006 patched auto-updated copyright year
• https://github.com/openSUSE/obs-build/pull/1047 and patched issues with mis-parsed timezone in changelog of pulseaudio libyui yast2-* xl2tpd taglib mcelog libical kompare kdenetwork-filesharing indic-fonts gvfs gjs flashrom evolution-data-server evolution check cairo autoyast2 audiofile
• abseil-cpp https://bugzilla.opensuse.org/show_bug.cgi?id=1235867 random diff - possible race-condition
• ovmf varies in OBS-build - needed _projectcert.crt
• https://bugzilla.opensuse.org/show_bug.cgi?id=1232550 superlu failed to build with nocheck
• python-xmlschema FTBFS-j1
• ibmtss https://sourceforge.net/p/ibmtpm20tss/tickets/49/ FTBFS-2026

worked around

• colord https://github.com/hughsie/colord/issues/174 CPU dependent .icc files - maybe from lcms2
• emacs https://mail.gnu.org/archive/html/emacs-devel/2024-10/msg00004.html .pdmp dump files vary
• python-lxml produces different results when compiled on a VM with more than 4 cores
• disable ASLR for building llvm17 + nodejs22
• disable LTO for llvm1[578]
• rust-cbindgen disable LTO
• grpc https://bugzilla.opensuse.org/show_bug.cgi?id=1234751 uname -r
• nodejs22 CPU-dependent results
• qpid-proton rare race condition => build with -j1
• python310:doc rare variation - probably from ASLR or race
• python-rdflib:doc https://github.com/RDFLib/rdflib/issues/2645
• llvm17 CPU dependent results
• libraw variation in rpm-metadata (PartialHardlinkSets) from fdupes

remaining issues

• libreoffice/rpm https://bugzilla.opensuse.org/show_bug.cgi?id=1231580 bug
• memcached https://github.com/memcached/memcached/pull/1074 FTBFS-2038
• python-joblib https://github.com/joblib/joblib/issues/870 FTBFS-j1
• python-pandas/cython https://github.com/pandas-dev/pandas/issues/60078
• java-21-openjdk has some rare variation ; maybe a race
• java-11-openjdk (only used for bootstrapping) has plenty old issues
• ceph https://github.com/boostorg/build/issues/760 has an embedded boost version. It produces different binaries when building after 2038
• installation-images various
• qemu does not build with pbuild
• dettrace FTBFS-2038
• guile FTBFS in 1-core-VM
• python310 + python311 FTBFS-j1
• python-executing
• python-pexpect https://github.com/pexpect/pexpect/issues/749 FTBFS flaky test
• python-tornado6 FTBFS-2033
• qca FTBFS-2031
• tracker FTBFS-j1
• util-linux https://github.com/util-linux/util-linux/issues/3259 random test failure