-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make docs reproducibility more robust #3951
Conversation
On Debian some architectures don't support using the faketime wrapper and it will simply bail out. Turns out pdflatex now natively supports SOURCE_DATE_EPOCH though as long as you also set FORCE_SOURCE_DATE, otherwise it won't take effect. Graphviz (dot) also supports the former.
9a34ab0
to
4300589
Compare
Problem that was needed solving here is that dot and pdflatex did not generate PDF files in docs/images/011 directory only based by content but also by current time. That produced issues of CI updating https://github.com/YosysHQ-Docs/yosys-cmd-ref/tree/main/images since then all these PDFs are always found to be different. For creating documentation Debian packages, it would be perfectly fine to get PDF files with any timestamp in them since anyway you would rebuild it for each version, so I see no need to enforce any specific timestamp. Does this solution looks fine to you, and does it solve issues you experiencing ? |
Reproducibility isn't just a convince feature, it's a table stakes distribution security mechanism see https://reproducible-builds.org/ The idea is that anyone can check a Debian package corresponds to it's source code by recompiling and comparing the resulting .debs bit by bit. This helps detect compromised build infrastructure. So we really do need to get rid of faketime here. Currently this patch is still broken due to CreationDate etc. see https://wiki.debian.org/ReproducibleBuilds/TimestampsInPDFGeneratedByLaTeX I'll have to do slightly more invasive surgery. --Daniel |
Ok, my previous analysis was wrong. Graphviz dot doesn't seem to support SOURCE_DATE_EPOCH and that's the root problem I have in the Debian packaging. The problem with faketime is this:
So instead of removing the use of faketime I'll switch to setting the LD_PRELOAD and FAKETIME envvars directly. --Daniel |
As per your own links;
This is what faketime is doing for us. While the reason was to prevent git from detecting a change in pdf when there was no change in content, this accomplishes the goal of a reproducible build that (should) produce the same result from the same source, rather than the output changing due to differences in build system. Unless there is something else affecting the reproducibility (the PDF ID in your link for example), then this is just about building on Debian and the name of the pull request should be updated to reflect that. |
Turns out the faketime problem ( So in fact this entire PR is ill-conceived :)
I'm still seeing PDF CreationDate differences (debci), I think those are due to $TZ. I'll send an update once I confirm overriding $TZ gets rid of the non-reproducibility. |
Commits:
On Debian some architectures don't support using the faketime wrapper and
it will simply bail out. Turns out pdflatex now natively supports
SOURCE_DATE_EPOCH though as long as you also set FORCE_SOURCE_DATE,
otherwise it won't take effect. Graphviz (dot) also supports the former.