GH-47798: [CI][Packaging] Enable reproducible builds for Linux packages #47864
Conversation
…porarily and skip rat check on patch
|
Thanks for opening a pull request! If this is not a minor PR. Could you open an issue for this pull request on GitHub? https://github.com/apache/arrow/issues/new/choose Opening GitHub issues ahead of time contributes to the Openness of the Apache Arrow project. Then could you also rename the pull request title in the following format? or See also: |
…or reproducible builds
…ile even though it is wrong. Just testing purposes
…when HOME is modified
There was a problem hiding this comment.
This is currently building the artifacts 3 times, 2 via reprotest to validate reproducibility and 1 for the final artifact generated. Similar to when we run reprotest for our source code but on the Linux Packages case it obviously takes a really long time, 2h 30m on the debian-trixie-amd64 job that is running reprotest:
https://github.com/apache/arrow/actions/runs/18685243685/job/53276081878
Should the approach be to run reprotest always? It potentially could be interesting to disable REPROTEST on PR checks and enable it manually if necessary?
There is still a lot of work to be done here, apart from fixing reproducible builds when build_path variant is used and adding the requirements to other debian packages and rpm.
| export DEB_BUILD_OPTIONS | ||
| df -h | ||
| if [ "${REPROTEST:-no}" = "yes" ]; then | ||
| run reprotest --verbosity 2 --vary=-kernel,-fileordering,-domain_host,-build_path -s .. ./reprotest.sh **.deb |
There was a problem hiding this comment.
I am currently investigating why if build_path is exercised, basically applying the following diff:
| run reprotest --verbosity 2 --vary=-kernel,-fileordering,-domain_host,-build_path -s .. ./reprotest.sh **.deb | |
| run reprotest --verbosity 2 --vary=-kernel,-fileordering,-domain_host -s .. ./reprotest.sh **.deb |
The binaries generated (**.deb) are not reproducible, I've tried different approaches like:
diff --git a/dev/tasks/linux-packages/apache-arrow/debian/rules b/dev/tasks/linux-packages/apache-arrow/debian/rules
index 19dba393b1..17ef34fc4b 100755
--- a/dev/tasks/linux-packages/apache-arrow/debian/rules
+++ b/dev/tasks/linux-packages/apache-arrow/debian/rules
@@ -6,7 +6,7 @@
# This has to be exported to make some magic below work.
export DH_OPTIONS
-export DEB_BUILD_MAINT_OPTIONS=reproducible=-timeless
+export DEB_BUILD_MAINT_OPTIONS= hardening=+all reproducible=-timeless,+fixfilepath
BUILD_TYPE=relwithdebinfo
@@ -31,6 +31,7 @@ override_dh_auto_configure:
--builddirectory=cpp_build \
--buildsystem=cmake+ninja \
-- \
+ $(shell dpkg-buildflags --export=configure) \
-DARROW_AZURE=$${ARROW_AZURE} \
-DARROW_BUILD_UTILITIES=ON \
-DARROW_COMPUTE=ON \but no luck so far. More info about build_path in reproducible builds:
https://reproducible-builds.org/docs/build-path/
github-actions
bot
added
awaiting changes
1 participant
TBD
This is just a testing PR at the moment to validate a CI job. There's still work to be done.
Rationale for this change
What changes are included in this PR?
Are these changes tested?
Are there any user-facing changes?
This PR includes breaking changes to public APIs. (If there are any breaking changes to public APIs, please explain which changes are breaking. If not, you can remove this.)
This PR contains a "Critical Fix". (If the changes fix either (a) a security vulnerability, (b) a bug that caused incorrect or invalid data to be produced, or (c) a bug that causes a crash (even when the API contract is upheld), please provide explanation. If not, you can remove this.)