$ python koji_rebuild.py zlib-1.2.13-5.fc40 $ diffoscope cache/rpms/zlib-1.2.13-5.fc40/zlib-static-1.2.13-5.fc40.x86_64.rpm cache/bu ild/zlib-1.2.13-5.fc40/rebuild/zlib-static-1.2.13-5.fc40.x86_64.rpm ... ├── content │ ├── ./usr/lib64/libz.a │ │ ├── file list │ │ │ @@ -1,16 +1,16 @@ │ │ │ ----------- 0 0 0 1760 2023-10-25 07:43:22.000000 / │ │ │ --rw-r--r-- 0 1000 425 3336 2023-10-25 07:43:22.000000 adler32.o │ │ │ --rw-r--r-- 0 1000 425 13760 2023-10-25 07:43:22.000000 crc32.o │ │ │ --rw-r--r-- 0 1000 425 22872 2023-10-25 07:43:22.000000 deflate.o │ │ │ --rw-r--r-- 0 1000 425 12016 2023-10-25 07:43:22.000000 infback.o │ │ │ --rw-r--r-- 0 1000 425 3328 2023-10-25 07:43:22.000000 inffast.o │ │ │ --rw-r--r-- 0 1000 425 21624 2023-10-25 07:43:22.000000 inflate.o │ │ │ --rw-r--r-- 0 1000 425 3792 2023-10-25 07:43:22.000000 inftrees.o │ │ │ --rw-r--r-- 0 1000 425 15128 2023-10-25 07:43:22.000000 trees.o │ │ │ --rw-r--r-- 0 1000 425 2864 2023-10-25 07:43:22.000000 zutil.o │ │ │ --rw-r--r-- 0 1000 425 2496 2023-10-25 07:43:22.000000 compress.o │ │ │ --rw-r--r-- 0 1000 425 2672 2023-10-25 07:43:22.000000 uncompr.o │ │ │ --rw-r--r-- 0 1000 425 1688 2023-10-25 07:43:22.000000 gzclose.o │ │ │ --rw-r--r-- 0 1000 425 9496 2023-10-25 07:43:22.000000 gzlib.o │ │ │ --rw-r--r-- 0 1000 425 8792 2023-10-25 07:43:22.000000 gzread.o │ │ │ --rw-r--r-- 0 1000 425 8048 2023-10-25 07:43:22.000000 gzwrite.o │ │ │ +---------- 0 0 0 1760 2023-10-25 15:51:26.000000 / │ │ │ +-rw-r--r-- 0 1000 135 3336 2023-10-25 15:51:26.000000 adler32.o │ │ │ +-rw-r--r-- 0 1000 135 13760 2023-10-25 15:51:26.000000 crc32.o │ │ │ +-rw-r--r-- 0 1000 135 22872 2023-10-25 15:51:26.000000 deflate.o │ │ │ +-rw-r--r-- 0 1000 135 12016 2023-10-25 15:51:26.000000 infback.o │ │ │ +-rw-r--r-- 0 1000 135 3328 2023-10-25 15:51:26.000000 inffast.o │ │ │ +-rw-r--r-- 0 1000 135 21624 2023-10-25 15:51:26.000000 inflate.o │ │ │ +-rw-r--r-- 0 1000 135 3792 2023-10-25 15:51:26.000000 inftrees.o │ │ │ +-rw-r--r-- 0 1000 135 15128 2023-10-25 15:51:26.000000 trees.o │ │ │ +-rw-r--r-- 0 1000 135 2864 2023-10-25 15:51:26.000000 zutil.o │ │ │ +-rw-r--r-- 0 1000 135 2496 2023-10-25 15:51:26.000000 compress.o │ │ │ +-rw-r--r-- 0 1000 135 2672 2023-10-25 15:51:26.000000 uncompr.o │ │ │ +-rw-r--r-- 0 1000 135 1688 2023-10-25 15:51:26.000000 gzclose.o │ │ │ +-rw-r--r-- 0 1000 135 9496 2023-10-25 15:51:26.000000 gzlib.o │ │ │ +-rw-r--r-- 0 1000 135 8792 2023-10-25 15:51:26.000000 gzread.o │ │ │ +-rw-r--r-- 0 1000 135 8048 2023-10-25 15:51:26.000000 gzwrite.o
It also hardcodes the uid and gid numbers: 1000 is my local user, and 135 is the mock group. Presumably, it's 1000 is the build user and 425 is the mock group in koji.
Thankfully, static libraries are not common, but it looks like this would affect in general all packages with static libraries.
The issue still occurs.
Same for xz-5.6.0-1.fc41.
xz-5.6.0-1.fc41
So this means GCC needs to be made aware then.
Same for gnutls-3.8.3-3.fc40.
gnutls-3.8.3-3.fc40
Hmm, maybe. In normal circumstances, this seems to be correct behaviour: .a is just an archive, and the archive uses the metadata of the files that are added to it. But in the case of a package build, we would like to sanitize this metadata. I'm pretty sure that the default behaviour of ar shouldn't change. But maybe it would make sense to change gcc to always do this normalization, i.e. to call ar in a special way. I don't think it makes any sense to embed the uids and gids in the static library, even for normal non-package builds.
.a
ar
gcc
So… we generally create archives using gcc-ar. And gcc-ar has option D to "use zero for timestamps and uids/gids", which would DTRT. But it's not clear how to "feed" this option to it. For example, in meson builds, meson seems to call gcc-ar itself. In other build scripts, ar or gcc-ar might be called via a custom rule.
gcc-ar
D
Maybe instead we should run a postprocessing script to strip this information?
https://github.com/keszybz/add-determinism/blob/main/src/handlers/ar.rs implements a cleaner.
Login to comment on this ticket.