Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nfpm does not ensure reproducible builds #744

Closed
2 tasks done
keliramu opened this issue Nov 28, 2023 · 8 comments · Fixed by #748
Closed
2 tasks done

nfpm does not ensure reproducible builds #744

keliramu opened this issue Nov 28, 2023 · 8 comments · Fixed by #748
Assignees
Labels
bug Something isn't working

Comments

@keliramu
Copy link
Contributor

What happened?

Implemented sample nfpm template to create deb package (as a bash script to create deb package).
Executed above mentioned script in a loop of 9 iterations: create package, check size, remove package.
Getting stable results: at least 2 times out of 9 deb size differs from previous iteration.

~/nfpm-consistent-results-not$ ./test-deb-size.sh 
Create DEB multiple times to check if resulting size stays the same
Create DEB in loop: 1..9
DEB i: 1; now DEB size: 862
DEB i: 2; now DEB size: 864 ::: GOT different size!!! prev: [862]
DEB i: 3; now DEB size: 862 ::: GOT different size!!! prev: [864]
DEB i: 4; now DEB size: 864 ::: GOT different size!!! prev: [862]
DEB i: 5; now DEB size: 864
DEB i: 6; now DEB size: 864
DEB i: 7; now DEB size: 864
DEB i: 8; now DEB size: 864
DEB i: 9; now DEB size: 864
Done. Got diffs: 3

How can we reproduce this?

Here is the public github repo with scripts to reproduce this problem: https://github.com/keliramu/nfpm-consistent-results-not

nfpm version

nfpm --version
       _____ ____  __  __
 _ __ |  ___|  _ \|  \/  |
| '_ \| |_  | |_) | |\/| |
| | | |  _| |  __/| |  | |
|_| |_|_|   |_|   |_|  |_|
nfpm: a simple and 0-dependencies deb, rpm, apk and arch linux packager written in Go
https://nfpm.goreleaser.com

GitVersion:    2.34.0
GitCommit:     6a16fcd38aa41ec2a5fea50728d22258ab9e2580
GitTreeState:  false
BuildDate:     2023-10-23T11:26:52Z
BuiltBy:       goreleaser
GoVersion:     go1.21.3
Compiler:      gc
ModuleSum:     h1:fKoHucBOcmW2CkIDj3gZZ4grJGRRoed7eRzAztWa3xo=
Platform:      linux/amd64

Search

  • I did search for other open and closed issues before opening this.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

No response

@keliramu keliramu added the bug Something isn't working label Nov 28, 2023
@caarlos0
Copy link
Member

caarlos0 commented Dec 5, 2023

I can repro it, but no idea (yet) of what's causing it

CleanShot 2023-12-04 at 23 14 14@2x

@caarlos0
Copy link
Member

caarlos0 commented Dec 5, 2023

seems to be related to the gzip compression...

@caarlos0
Copy link
Member

caarlos0 commented Dec 5, 2023

yup, its the gz compression, changing to xz fixes it:

# ...
contents:
  - src: ./foo111.sh
    dst: /usr/bin/foo111.sh
deb:
  compression: xz # <---- add this
overrides:
  rpm:
    scripts:
# ...

and I don't know if there's much we can do about it.

FWIW, I can kinda repro it with gzip too:

for i in $(seq 1 10); do
  echo 'hello world'>test$i.txt
  gzip test$i.txt
  md5sum test$i.txt.gz
done

I don't know enough of how gzip works though, maybe I'm still missing something

@keliramu
Copy link
Contributor Author

keliramu commented Dec 5, 2023

But this is consistent:

for i in $(seq 1 10); do
  trg_dir="cc"$i
  mkdir $trg_dir
  echo 'hello world'>$trg_dir/test.txt
  gzip $trg_dir/test.txt
  md5sum $trg_dir/test.txt.gz
done

@keliramu
Copy link
Contributor Author

keliramu commented Dec 5, 2023

In this PR #747 I have solution how to make target deb package stable size.
Variation of target deb file is caused by:

  1. random file sort order of files in control.tar
  2. file ModTime attribute

Please review it. Probably need some kind the control of ModTime setting either to chose zero time to ensure reproducible result or keep original mod time.

@keliramu
Copy link
Contributor Author

keliramu commented Dec 5, 2023

BTW, proposed option:

deb:
  compression: xz # <---- add this

Does not solve the problem, as it is only for data.tar but control.tar is always gziped without possibility to chose different method.

@caarlos0
Copy link
Member

caarlos0 commented Dec 5, 2023

ahh, good find, I totally missed that

caarlos0 added a commit that referenced this issue Dec 6, 2023
defaults to $SOURCE_DATE_EPOCH

closes #744
closes #734

Signed-off-by: Carlos Alexandro Becker <[email protected]>
@caarlos0
Copy link
Member

caarlos0 commented Dec 6, 2023

check #748

caarlos0 added a commit that referenced this issue Dec 7, 2023
* feat: allow to set a build date

defaults to $SOURCE_DATE_EPOCH

closes #744
closes #734

Signed-off-by: Carlos Alexandro Becker <[email protected]>

* fix: rename to mtime

* docs: fix systemd note

closes #739

* fix: improve arch packager

* fix: arch test

Signed-off-by: Carlos Alexandro Becker <[email protected]>

* fix: improve apk packager

* fix: improve deb special files

* fix: reuse keys func

* fix: deps

Signed-off-by: Carlos Alexandro Becker <[email protected]>

---------

Signed-off-by: Carlos Alexandro Becker <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants