From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
To: 49801@debbugs.gnu.org
Subject: bug#49801: Guix time machine provenance/manifest reproducibility issue?
Date: Sun, 1 Aug 2021 02:21:42 +0200 [thread overview]
Message-ID: <20210801022142.2117e06e@primarylaptop.localdomain> (raw)
[-- Attachment #1: Type: text/plain, Size: 8512 bytes --]
Hi,
I've been trying to reproduce a tarball
(sz1lkq3ryr5iv6amy6f3d2pziks27g28-tarball-pack.tar.xz) that I generated
with guix pack on guix master the 28 January 2021.
To build it, in January, I used the following commands:
> guix pull
> guix pack \
> --compression=xz \
> --save-provenance \
> -RR \
> --symlink=/usr/local/bin/repo=bin/repo \
> --symlink=/usr/local/bin/repo-env.sh=etc/profile \
> git-repo le-certs nss-certs git python-certifi
That tarball is publicly available in the Replicant ftp server[1].
The extracted provenance file (named manifest) has the following
content:
> ;; This file was automatically generated and is for internal use only.
> ;; It cannot be passed to the '--manifest' option.
>
> (manifest
> (version 3)
> (packages
> (("git-repo"
> "2.4.1"
> "out"
> "/gnu/store/d4frkcdq15a7gyfjdggwg44ryi46fa2d-git-repo-2.4.1R"
> (propagated-inputs ())
> (search-paths ())
> (properties
> (provenance
> (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> (branch "master")
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> (introduction
> (channel-introduction
> (version 0)
> (commit
> "9edb3f66fd807b096b48283debdcddccfea34bad")
> (signer
> "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A
> 54FA"))))))) ("le-certs"
> "0"
> "out"
> "/gnu/store/x004p4hnyy0ickg2f5msvrpszhy9hzpl-le-certs-0R"
> (propagated-inputs ())
> (search-paths ())
> (properties
> (provenance
> (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> (branch "master")
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> (introduction
> (channel-introduction
> (version 0)
> (commit
> "9edb3f66fd807b096b48283debdcddccfea34bad")
> (signer
> "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A
> 54FA"))))))) ("nss-certs"
> "3.57"
> "out"
> "/gnu/store/shc8qpw1y2k7q668rx4gl6aff0wp1n6v-nss-certs-3.57R"
> (propagated-inputs ())
> (search-paths ())
> (properties
> (provenance
> (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> (branch "master")
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> (introduction
> (channel-introduction
> (version 0)
> (commit
> "9edb3f66fd807b096b48283debdcddccfea34bad")
> (signer
> "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A
> 54FA"))))))) ("git"
> "2.30.0"
> "out"
> "/gnu/store/378nlw54nxy991jcilnnbrxasnfvv9wl-git-2.30.0R"
> (propagated-inputs ())
> (search-paths
> (("GIT_SSL_CAINFO"
> ("etc/ssl/certs/ca-certificates.crt")
> #f
> regular
> #f)
> ("GIT_EXEC_PATH"
> ("libexec/git-core")
> #f
> directory
> #f)))
> (properties
> (provenance
> (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> (branch "master")
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> (introduction
> (channel-introduction
> (version 0)
> (commit
> "9edb3f66fd807b096b48283debdcddccfea34bad")
> (signer
> "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A
> 54FA"))))))) ("python-certifi"
> "2020.11.8"
> "out"
> "/gnu/store/hmp6ab9kw1z3hjns9h1fm3afsq4g6j7x-python-certifi-2020.11.8R"
> (propagated-inputs ())
> (search-paths ())
> (properties
> (provenance
> (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> (branch "master")
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> (introduction
> (channel-introduction
> (version 0)
> (commit
> "9edb3f66fd807b096b48283debdcddccfea34bad")
> (signer
> "BBB0 2DDF 2CEA F6A8 0D1D E643 A2A0 6DF2 A33A
> 54FA"))))))))))
So I tried to reproduce it with the following command:
> guix time-machine \
> --commit=f9bd4621dd92a9415276706b476b9bd2973411fa -- \
> pack \
> --compression=xz \
> --save-provenance \
> -RR \
> --symlink=/usr/local/bin/repo=bin/repo \
> --symlink=/usr/local/bin/repo-env.sh=etc/profile \
> git-repo le-certs nss-certs git python-certifi
But the new tarball filename was different.
vivien in #guix helped me a lot by trying to build that tarball too and
me and viven have the same filename with guix-time-machine:
bfxvk59q0m034iyq5zkk841zkisayyjl-tarball-pack.tar.xz
We then managed to get to the root cause of the difference.
All the binaries were the sames. All the differences comes from the
fact that the provenance file (named 'manifest') is different.
That difference then produces a different profile name and also affects
/usr/bin as that references the profile.
Diffing the two provenance files gives that:
> +++
> bfxvk59q0m034iyq5zkk841zkisayyjl-tarball-pack/gnu/store/216jiimdyw7zyx8s9b3fz67aw69ydkvw-profile/manifest
> 1970-01-01 01:00:01.000000000 +0100 @@ -15,9 +15,10 @@ (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> - (branch "master")
> + (branch #f)
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> + (name guix)
> (introduction
> (channel-introduction
> (version 0)
> @@ -36,9 +37,10 @@
> (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> - (branch "master")
> + (branch #f)
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> + (name guix)
> (introduction
> (channel-introduction
> (version 0)
> @@ -57,9 +59,10 @@
> (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> - (branch "master")
> + (branch #f)
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> + (name guix)
> (introduction
> (channel-introduction
> (version 0)
> @@ -88,9 +91,10 @@
> (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> - (branch "master")
> + (branch #f)
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> + (name guix)
> (introduction
> (channel-introduction
> (version 0)
> @@ -109,9 +113,10 @@
> (repository
> (version 0)
> (url "https://git.savannah.gnu.org/git/guix.git")
> - (branch "master")
> + (branch #f)
> (commit
> "f9bd4621dd92a9415276706b476b9bd2973411fa")
> + (name guix)
> (introduction
> (channel-introduction
I've tried to add --branch=master to guix time-machine and used guix
gc -D to remove the older tarball as it didn't rebuild it even with
--rounds=2, and at the end I still got the exact same
bfxvk59q0m034iyq5zkk841zkisayyjl-tarball-pack.tar.xz tarball (I've
compared both with cmp).
Am I doing something wrong, or is there an issue that needs to be fixed
somehow?
References:
-----------
[1]https://ftp.osuosl.org/pub/replicant/build-tools/repo/28-01-2021/
Denis.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2021-08-01 0:22 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-01 0:21 Denis 'GNUtoo' Carikli [this message]
2021-08-17 12:11 ` bug#49801: Guix time machine provenance/manifest reproducibility issue? zimoun
2021-09-01 22:27 ` Denis 'GNUtoo' Carikli
2021-09-02 8:10 ` zimoun
2021-09-02 14:12 ` Denis 'GNUtoo' Carikli
2021-09-02 19:30 ` zimoun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210801022142.2117e06e@primarylaptop.localdomain \
--to=gnutoo@cyberdimension.org \
--cc=49801@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).