Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-95376

Non-reproducible RPM builds due to python3-rpm-generators

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • rhel-9.8
    • rhel-9.6
    • rpm
    • rpm-4.16.1.3-40.el9
    • Yes
    • Important
    • rhel-swm
    • ssg_core_services
    • 14
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      AC: files are sorted before passing to generator which will make sure the builds are deterministic

      Test: as we are unable to reproduce, we will depend on unit tests, sanity and regression testing, effectively classifying it as RegressionOnly testing.

      Show
      AC: files are sorted before passing to generator which will make sure the builds are deterministic Test: as we are unable to reproduce, we will depend on unit tests, sanity and regression testing, effectively classifying it as RegressionOnly testing.
    • Pass
    • RegressionOnly
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      The following specfile will build non-reproducibly on RHEL 9:

      Name:    python3-foo
Version: 1.0
Release: 1
Summary: foo
License: Foo License

BuildRequires: python3-devel

%description
foo

%prep

%build

%install
for i in $(seq 1 100); do
    touch ${RPM_BUILD_ROOT}/foo$i
done

%files
/foo*

%changelog
* Mon Jun 02 2025 Chris Riches <chris.riches@nutanix.com>
- dummy entry for SOURCE_DATE_EPOCH

      The culprit is an interaction between RPM and python3-rpm-generators. The latter applies the following dynamic dependencies to the first file it sees from the package:

      Provides:  python-foo    = 1.0-1
Provides:  python3.9-foo = 1.0-1
Obsoletes: python39-foo  < 1.0-1

      However, RPM passes the package files into this generator in a non-deterministic order, meaning that a different file gets the dependency each time. This causes the overall build to be non-reproducible due to differences in the Filedependsx, Filedependsn, and Dependsdict parts of the RPM metadata.

      I have a proposed RPM patch to fix this: https://github.com/rpm-software-management/rpm/pull/3786

              mdomonko@redhat.com Michal Domonkos
              chris-riches-redhat Chris Riches (Inactive)
              Nutanix Confidential Group
              packaging-team-maint packaging-team-maint
              Martin Banas Martin Banas
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: