Skip to content

texlive: create reproducible .fmt files#196435

Merged
veprbl merged 1 commit intoNixOS:stagingfrom
raboof:texlive
Oct 20, 2022
Merged

texlive: create reproducible .fmt files#196435
veprbl merged 1 commit intoNixOS:stagingfrom
raboof:texlive

Conversation

@raboof
Copy link
Member

@raboof raboof commented Oct 17, 2022

Description of changes

Without these changes, building this package twice does not produce the bit-by-bit identical result each time, making it harder to detect CI breaches. You can read more about this at https://reproducible-builds.org/ .

Fixing bit-by-bit reproducibility also has additional advantages, such as avoiding hard-to-reproduce bugs, making content-addressed storage more effective and reducing rebuilds in such systems.

Based on the work done in Debian and documented at https://salsa.debian.org/live-team/live-build/-/blob/master/examples/hooks/reproducible/0139-reproducible-texlive-binaries-fmt-files.hook.chroot

Fixes #192736

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 22.11 Release Notes (or backporting 22.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@raboof raboof added the 6.topic: reproducible builds Run nix-build twice and get the same result. label Oct 17, 2022
@github-actions github-actions bot added the 6.topic: TeX Issues regarding texlive and TeX in general label Oct 17, 2022
@ofborg ofborg bot requested a review from veprbl October 17, 2022 15:59
@ofborg ofborg bot added 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 2501-5000 This PR causes many rebuilds on Linux and should target the staging branches. labels Oct 17, 2022
@raboof raboof changed the base branch from master to staging October 17, 2022 15:59
@veprbl
Copy link
Member

veprbl commented Oct 17, 2022

@GrahamcOfBorg build tests.texlive

@raboof
Copy link
Member Author

raboof commented Oct 18, 2022

@GrahamcOfBorg build tests.texlive

@veprbl veprbl changed the base branch from staging to master October 18, 2022 16:42
@veprbl
Copy link
Member

veprbl commented Oct 18, 2022

@GrahamcOfBorg build tests.texlive

@raboof
Copy link
Member Author

raboof commented Oct 18, 2022

(I assume you retargeted this PR to master to see if the tests.texlive do succeed there, and if they do we'll retarget back to staging because of the rebuild count? Makes sense to me! 🤞 )

@veprbl
Copy link
Member

veprbl commented Oct 18, 2022

texlive is only a few hundred rebuilds, we usually don't target it to master.

@raboof
Copy link
Member Author

raboof commented Oct 18, 2022
edited
Loading

Hmm, ofborg is reporting 2501-5000 for linux though 🤔

Interesting to see the tests fail when targeting master as well, though - they seem to pass for me locally. Looking into it, but if you can provide any hints I'm all ears :)

@veprbl
Copy link
Member

veprbl commented Oct 18, 2022

The /nix/store/h374kiml5r1gviflbdmgn75001p4dj5j-reproducible_exception_strings.patch.drv doesn't build for me

error: Normalized patch '/private/tmp/nix-build-reproducible_exception_strings.patch.drv-0/patch' is empty (while the fetched file was not)!
Did you maybe fetch a HTML representation of a patch instead of a raw patch?
Fetched file was:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head>
<link rel="icon" href="/favicon.png">
<title>#1009196 - texlive-binaries: Reproducible content of .fmt files - Debian Bug report logs</title>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="/css/bugs.css" type="text/css">

<link rel="canonical" href="&lt;a href=&quot;bugreport.cgi?bug=1009196&quot;&gt;1009196&lt;/a&gt;">
<script type="text/javascript">
<!--
function toggle_infmessages()
{
        allDivs=document.getElementsByTagName("div");
        for (var i = 0 ; i < allDivs.length ; i++ )
        {
                if (allDivs[i].className == "infmessage")
                {
                        allDivs[i].style.display=(allDivs[i].style.display == 'none' | allDivs[i].style.display == '') ? 'block' : 'none';
                }
        }
}
-->
</script>
</head>
<body>
<h1>Debian Bug report logs - 
<a href="mailto:1009196@bugs.debian.org">#1009196</a><br>
texlive-binaries: Reproducible content of .fmt files</h1>
<div class="versiongraph"><a href="version.cgi?collapse=1;absolute=0;package=texlive-binaries;info=1;found=texlive-bin%2F2021.20210626.59705-1">
<div class="pkginfo">
  <p>Package:
     <a class="submitter" href="pkgreport.cgi?package=texlive-binaries">texlive-binaries</a>;
Maintainer for <a href="pkgreport.cgi?package=texlive-binaries">texlive-binaries</a> is <a href="pkgreport.cgi?maint=debian-tex-maint%40lists.de

</div>

@raboof
texlive: create reproducible .fmt files
a41ae44 
Without these changes, building this package twice does not produce the bit-by-bit identical result each time, making it harder to detect CI breaches. You can read more about this at https://reproducible-builds.org/ .

Fixing bit-by-bit reproducibility also has additional advantages, such as avoiding hard-to-reproduce bugs, making content-addressed storage more effective and reducing rebuilds in such systems.

Based on the work done in Debian and documented at
https://salsa.debian.org/live-team/live-build/-/blob/master/examples/hooks/reproducible/0139-reproducible-texlive-binaries-fmt-files.hook.chroot

Fixes NixOS#192736
@raboof
Copy link
Member Author

raboof commented Oct 18, 2022

The /nix/store/h374kiml5r1gviflbdmgn75001p4dj5j-reproducible_exception_strings.patch.drv doesn't build for me

Argh, hashes not getting invalidated when the input URL changes strikes again... fixing

@GrahamcOfBorg build tests.texlive

veprbl
veprbl reviewed Oct 20, 2022
View reviewed changes
pkgs/tools/typesetting/tex/texlive/combine.nix
if [[ -d share/texmf-var/web2c/luahbtex ]]
then
cd share/texmf-var/web2c/luahbtex
faketime $(date --utc -d@$SOURCE_DATE_EPOCH --iso-8601=seconds) luahbtex -ini -jobname=lualatex -progname=lualatex lualatex.ini
Copy link
Member

@veprbl veprbl Oct 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your link does not mention luahbtex, and the engines are supposed to be completely different. I assume you found an additional issue with it?

Copy link
Member Author

@raboof raboof Oct 20, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct, though I didn't manage to investigate it sufficiently to write up a useful upstream report yet.

@veprbl veprbl changed the base branch from master to staging October 20, 2022 14:18
@veprbl veprbl merged commit 508429a into NixOS:staging Oct 20, 2022
@ofborg ofborg bot requested a review from veprbl October 20, 2022 14:29
@vcunat
Copy link
Member

vcunat commented Oct 30, 2022

This PR broke scheme-minimal: https://hydra.nixos.org/build/196758219
/cc PR #198236

@raboof
Copy link
Member Author

raboof commented Oct 30, 2022

This PR broke scheme-minimal: https://hydra.nixos.org/build/196758219 /cc PR #198236

Ouch, sorry about that. I can reproduce, though it's not obvious to me yet how this change would cause that problem. I'll dig in further, but possibly I won't get to it properly before Tuesday. If that holds up other things then feel free to revert I guess :(

@veprbl
Copy link
Member

veprbl commented Oct 31, 2022

@raboof Should we revert for now? It might be worth exploring where the date is used in the source code. I've tried looking into that previously without success, but if we can patch it, it should be a simpler change, possibly even upstreamable.

@raboof
Copy link
Member Author

raboof commented Oct 31, 2022

@raboof Should we revert for now?

I'm not familiar enough with the staging process to judge how urgent it is to resolve this problem. If it's urgent then, as said, revert - but if it can wait until tomorrow I would prefer to "roll forward".

It might be worth exploring where the date is used in the source code. I've tried looking into that previously without success, but if we can patch it, it should be a simpler change, possibly even upstreamable.

For the order of the hyphenation exception strings, this patch has already been proposed upstream, but they seem to be discussing other ways to fix it.

For the date in the ini, I agree it might be neater to adapt this with a patch instead of using faketime. The Debian notes at https://salsa.debian.org/live-team/live-build/-/blob/master/examples/hooks/reproducible/0139-reproducible-texlive-binaries-fmt-files.hook.chroot#L12 suggest that this was also already brought up upstream and they didn't want to have it fixed, though I didn't find the upstream discussion to find out why yet.

@vcunat
Copy link
Member

vcunat commented Oct 31, 2022

The current batch is only waiting for the openssl critical security update, to be released tomorrow (2022-11-01, 13:00-17:00 UTC). I'll revert around that point if not resolved by then.

raboof added a commit to raboof/nixpkgs that referenced this pull request Nov 1, 2022
@raboof
texlive.combined.scheme-minimal: fix build
0e61b9e 
Follow-up on NixOS#196435, fixing NixOS#196435 (comment)

Needed to make NixOS#198236 pass
@raboof raboof mentioned this pull request Nov 1, 2022
Closed
13 tasks
@raboof
Copy link
Member Author

raboof commented Nov 1, 2022

Fixed in #198892 - though I'm not sure if that is supposed to target staging or staging-next?

vcunat pushed a commit that referenced this pull request Nov 1, 2022
@raboof @vcunat
texlive.combined.scheme-minimal: fix build
87598a6 
Follow-up on #196435, fixing #196435 (comment)

Needed to make #198236 pass
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@veprbl veprbl Awaiting requested review from veprbl

Assignees

No one assigned

Labels

6.topic: reproducible builds Run nix-build twice and get the same result. 6.topic: TeX Issues regarding texlive and TeX in general 10.rebuild-darwin: 11-100 This PR causes between 11 and 100 packages to rebuild on Darwin. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. 10.rebuild-linux: 2501-5000 This PR causes many rebuilds on Linux and should target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

texlive.combined.scheme-basic: ordering nondeterminism

3 participants

@raboof @veprbl @vcunat