Recent comments on posts in the blog:

I have been surfing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. In my view, if all webmasters and bloggers made good content as you did, the internet will be much more useful than ever before. gedeeeeabgkebfdc
Comment by Anonymous Thu Jun 21 14:11:29 2018

Actually Debian Docker images are now marked as "official", and there is some work to make them reproducible

Although I didn't figure out how to verify the checksum of said images - probably worth a separate post.

Comment by beuc Wed Jun 20 15:30:40 2018

The particular issue of varying BuildID-s due to the debugging symbols can actually be fixed through -fdebug-prefix-map already, e.g.:

$ (cd repro && gcc-6 -g hello.c -o hello && sha256sum hello)
9d41920af912b8d1810f75940489ee99b6e6712788b5a54e1d1829fe84e7ed96  hello
$ (cd repro-b && gcc-6 -g hello.c -o hello && sha256sum hello)
bb99335f4d2242506b75f1f8d437d9b85877cf42c4cbf734ed5eca0b73f7ace0  hello

$ (cd repro && gcc-6 -fdebug-prefix-map=$(pwd)=/ -g hello.c -o hello && sha256sum hello)
fbdf49c11b4b4138bff7fb2cacaa5304690bfa748d4455dc67585cf4325eed06  hello
$ (cd repro-b && gcc-6 -fdebug-prefix-map=$(pwd)=/ -g hello.c -o hello && sha256sum hello)
fbdf49c11b4b4138bff7fb2cacaa5304690bfa748d4455dc67585cf4325eed06  hello

I wish I was told earlier.

Comment by beuc Wed Jun 20 13:52:45 2018

I've been using fossil for months, and I can think of 3 feature which is much better than in git - opensource. All of it. - It has a single sqlite database (single file) - you can checkout to multiple directories, multiple revisions (helped me a lot)

Comment by Anonymous Thu Jun 7 05:11:01 2018

Hi, if you don't know about .zed files, you can forget about it and return to your happy life! :)
I'm not going to advertise those products.

Comment by beuc Wed Sep 20 17:24:04 2017

What product(s) use .zed?

I've never heard of it, so a long blog post without context is meaningless to me. Please provide some context as to why people care about your work.

Comment by Anonymous Wed Sep 20 00:43:57 2017

Got it, both libstdc++.a were containing the same .o objects, just ordered differently.
(Even though the order was consistent when rebuilding! possibly due to Docker using a different filesystem.)
The ordering within one .a file is impacting the final executable.

A mere ar x && ar r *.o made the build deterministic.

Comment by beuc Tue Apr 18 21:49:42 2017

Stephen Kitt also pointed that Debian Stretch's MinGW has improved reproducibility provided you trigger it with SOURCE_DATE_EPOCH.
'-Wl,--no-insert-timestamp' helps too. I'm currently running additional tests, I'll probably post a follow-up :)

Comment by beuc Sat Mar 25 19:37:27 2017

Windows executables include a "link time" field which you need to fix. If you build a PDB they will also contain the absolute path to that by default.

(There are probably some other issues; I haven't worked on Windows for a long time.)

Comment by Anonymous Sat Mar 25 03:26:34 2017

Following the discussions, Replicant is currently thinking about earlier, SDK-focused ports, and F-Droid expressed interest in freeing the SDK&NDK they use (although the diversity of the packages means all SDK platform versions need to be available).

I think it's important to keep rebuilding and testing the dev tools, to assess feasibility and raise confidence.

Comment by beuc Wed Oct 7 12:07:21 2015