Recent comments on posts in the blog:

Occasionally I have also identified bugs that corrupted data during the build. Those bugs would have been hard to find without the work on reproducible builds.
Comment by Anonymous Wed Aug 15 04:24:55 2018

Thanks for your input. It seems this tools only patches the final executable to reset some metadata.

AFAICS this alleviates the need for a patched binutils and works on VC++ binaries, however this is a fraction of what makes a build reproducible.

Comment by beuc Fri Jul 6 07:12:50 2018
Are you aware of this tool for making DLLs/EXEs reproducible?
Comment by Anonymous Fri Jun 22 02:33:06 2018

Actually Debian Docker images are now marked as "official", and there is some work to make them reproducible https://github.com/debuerreotype/debuerreotype

Although I didn't figure out how to verify the checksum of said images - probably worth a separate post.

Comment by beuc Wed Jun 20 15:30:40 2018

The particular issue of varying BuildID-s due to the debugging symbols can actually be fixed through -fdebug-prefix-map already, e.g.:

$ (cd repro && gcc-6 -g hello.c -o hello && sha256sum hello)
9d41920af912b8d1810f75940489ee99b6e6712788b5a54e1d1829fe84e7ed96  hello
$ (cd repro-b && gcc-6 -g hello.c -o hello && sha256sum hello)
bb99335f4d2242506b75f1f8d437d9b85877cf42c4cbf734ed5eca0b73f7ace0  hello

$ (cd repro && gcc-6 -fdebug-prefix-map=$(pwd)=/ -g hello.c -o hello && sha256sum hello)
fbdf49c11b4b4138bff7fb2cacaa5304690bfa748d4455dc67585cf4325eed06  hello
$ (cd repro-b && gcc-6 -fdebug-prefix-map=$(pwd)=/ -g hello.c -o hello && sha256sum hello)
fbdf49c11b4b4138bff7fb2cacaa5304690bfa748d4455dc67585cf4325eed06  hello

I wish I was told earlier.

Comment by beuc Wed Jun 20 13:52:45 2018

I've been using fossil for months, and I can think of 3 feature which is much better than in git - opensource. All of it. - It has a single sqlite database (single file) - you can checkout to multiple directories, multiple revisions (helped me a lot)

Comment by Anonymous Thu Jun 7 05:11:01 2018

Hi, if you don't know about .zed files, you can forget about it and return to your happy life! :)
I'm not going to advertise those products.

Comment by beuc Wed Sep 20 17:24:04 2017

What product(s) use .zed?

I've never heard of it, so a long blog post without context is meaningless to me. Please provide some context as to why people care about your work.

Comment by Anonymous Wed Sep 20 00:43:57 2017

Got it, both libstdc++.a were containing the same .o objects, just ordered differently.
(Even though the order was consistent when rebuilding! possibly due to Docker using a different filesystem.)
The ordering within one .a file is impacting the final executable.

A mere ar x && ar r *.o made the build deterministic.

Comment by beuc Tue Apr 18 21:49:42 2017

Thanks!
Stephen Kitt also pointed that Debian Stretch's MinGW has improved reproducibility provided you trigger it with SOURCE_DATE_EPOCH.
'-Wl,--no-insert-timestamp' helps too. I'm currently running additional tests, I'll probably post a follow-up :)

Comment by beuc Sat Mar 25 19:37:27 2017