Recent comments on posts in the blog:

Thanks for your input. It seems this tools only patches the final executable to reset some metadata.

AFAICS this alleviates the need for a patched binutils and works on VC++ binaries, however this is a fraction of what makes a build reproducible.

Comment by beuc Fri Jul 6 07:12:50 2018
Are you aware of this tool for making DLLs/EXEs reproducible?
Comment by Anonymous Fri Jun 22 02:33:06 2018

Actually Debian Docker images are now marked as "official", and there is some work to make them reproducible https://github.com/debuerreotype/debuerreotype

Although I didn't figure out how to verify the checksum of said images - probably worth a separate post.

Comment by beuc Wed Jun 20 15:30:40 2018

The particular issue of varying BuildID-s due to the debugging symbols can actually be fixed through -fdebug-prefix-map already, e.g.:

$ (cd repro && gcc-6 -g hello.c -o hello && sha256sum hello)
9d41920af912b8d1810f75940489ee99b6e6712788b5a54e1d1829fe84e7ed96  hello
$ (cd repro-b && gcc-6 -g hello.c -o hello && sha256sum hello)
bb99335f4d2242506b75f1f8d437d9b85877cf42c4cbf734ed5eca0b73f7ace0  hello

$ (cd repro && gcc-6 -fdebug-prefix-map=$(pwd)=/ -g hello.c -o hello && sha256sum hello)
fbdf49c11b4b4138bff7fb2cacaa5304690bfa748d4455dc67585cf4325eed06  hello
$ (cd repro-b && gcc-6 -fdebug-prefix-map=$(pwd)=/ -g hello.c -o hello && sha256sum hello)
fbdf49c11b4b4138bff7fb2cacaa5304690bfa748d4455dc67585cf4325eed06  hello

I wish I was told earlier.

Comment by beuc Wed Jun 20 13:52:45 2018

I've been using fossil for months, and I can think of 3 feature which is much better than in git - opensource. All of it. - It has a single sqlite database (single file) - you can checkout to multiple directories, multiple revisions (helped me a lot)

Comment by Anonymous Thu Jun 7 05:11:01 2018

Hi, if you don't know about .zed files, you can forget about it and return to your happy life! :)
I'm not going to advertise those products.

Comment by beuc Wed Sep 20 17:24:04 2017

What product(s) use .zed?

I've never heard of it, so a long blog post without context is meaningless to me. Please provide some context as to why people care about your work.

Comment by Anonymous Wed Sep 20 00:43:57 2017

Got it, both libstdc++.a were containing the same .o objects, just ordered differently.
(Even though the order was consistent when rebuilding! possibly due to Docker using a different filesystem.)
The ordering within one .a file is impacting the final executable.

A mere ar x && ar r *.o made the build deterministic.

Comment by beuc Tue Apr 18 21:49:42 2017

Thanks!
Stephen Kitt also pointed that Debian Stretch's MinGW has improved reproducibility provided you trigger it with SOURCE_DATE_EPOCH.
'-Wl,--no-insert-timestamp' helps too. I'm currently running additional tests, I'll probably post a follow-up :)

Comment by beuc Sat Mar 25 19:37:27 2017

Windows executables include a "link time" field which you need to fix. If you build a PDB they will also contain the absolute path to that by default.

(There are probably some other issues; I haven't worked on Windows for a long time.)

Comment by Anonymous Sat Mar 25 03:26:34 2017