Produce identical packages for checksum comparison?

b. f. bf1783 at
Sun Nov 15 19:41:21 UTC 2009

On 11/15/09, Chris <christopher-ml at> wrote:
> b. f. wrote:
>> Chris wrote:


>> Even if you edited your
>> filesystem or archives to change the timestamps of package files, the
> I think that could be accomplished though the port makefiles.

I think that the exact reproduction of whole archives will be
problematic, unless you have a means of changing the ctime of the
binaries that have been built to a predetermined value.

>> toolchain used to create the binary files in packages often injects
>> random seeds, timestamps, file paths, uid/gid information, etc. that
> I can understand file paths with debug info.  Timestamps?  Ok sure for a
> timestamp file being generated during a make that auto increments version
> numbers.  What would change about uid/gid?  I can't imagine why that
> might be in the binaries.

ar(1) and some of the other utilities inject this information into
certain binary files.  Try running 'objdump -a'  on, for example,
some static archive like /usr/lib/libc.a.  Of course this information
can be manipulated, but you have to do it.  See the patches in the
link I cited earlier for other examples.


> Why would the build tools be injecting random numbers into binaries?

Usually to provide some degree of uniqueness.  I'm not saying that it
is always done, just that it _may_ be done.  See, for example, the gcc
sources or the -frandom-seed option description in gcc(1).  And it may
not be just the compiler toolchain -- a port may do it.

Occasionally, there are other sources of non-determinism.  For
example, in a recent thesis, a researcher who was trying to use
reproducible builds to defeat a longstanding security threat found
that the tcc compiler produced non-deterministic builds because of a
defect in sign-extending some casts, and a problem with long double
output.  He also cited another researcher's finding that a certain
java compiler's output was dependent upon the address of heap memory
addresses used during compilation.  See:


>If I concentrated on one problem at a  time I would never get anything done.

?! :)


More information about the freebsd-questions mailing list