Mailing List Archive

Reproducibility problem
Hello quagga!

I'm trying to package quagga for guix.

Package complies all right, test suite runs ok.

The only problem seem, that the build is not reproducible.

I managed narrow that down to that generating vtysh_cmd.c is not
deterministic.

At first I thought is is just an ordering issue.

I checked the code, and it seems, that DEFSH function definitions can be
freely moved around, and the order of install_elements seem not matter also.

I wrote a simple post processor to get identical ordering.

However after ordering the files are still different.

Here is an example diff:

gabriel@guixsd-test ~/quaqqa-sorter [env]$ diff cmd.c.sorted cmd.c.sorted2
1979,1989d1978
< DEFSH (VTYSH_BGPD, clear_ip_bgp_all_vpnv4_soft_in_cmd_vtysh,
< "clear ip bgp * vpnv4 unicast soft in",
< "Reset functions\n"
< "IP information\n"
< "BGP information\n"
< "Clear all peers\n"
< "Address family\n"
< "Address Family Modifier\n"
< "Soft reconfig inbound and outbound updates\n"
< "Send route-refresh unless using 'soft-reconfiguration inbound'\n")
<
5023a5013,5022
> DEFSH (VTYSH_BGPD, no_neighbor_attr_unchanged5_cmd_vtysh,
> "no neighbor (A.B.C.D|X:X::X:X|WORD) " "attribute-unchanged
as-path next-hop med",
> "Negate a command or set its defaults\n"
> "Specify neighbor router\n"
> "Neighbor address\nNeighbor IPv6 address\nNeighbor tag\n"
> "BGP attribute is propagated unchanged to this neighbor\n"
> "As-path attribute\n"
> "Nexthop attribute\n"
> "Med attribute\n")
>
13193,13201c13192,13201
< DEFSH (VTYSH_BGPD, no_neighbor_attr_unchanged5_cmd_vtysh,
< "no neighbor (A.B.C.D|X:X::X:X|WORD) " "attribute-unchanged
as-path next-hop med",
< "Negate a command or set its defaults\n"
< "Specify neighbor router\n"
< "Neighbor address\nNeighbor IPv6 address\nNeighbor tag\n"
< "BGP attribute is propagated unchanged to this neighbor\n"
< "As-path attribute\n"
< "Nexthop attribute\n"
< "Med attribute\n")
---
> DEFSH (VTYSH_BGPD, clear_ip_bgp_all_vpnv4_soft_in_cmd_vtysh,
> "clear ip bgp * vpnv4 unicast soft in",
> "Reset functions\n"
> "IP information\n"
> "BGP information\n"
> "Clear all peers\n"
> "Address family\n"
> "Address Family Modifier\n"
> "Soft reconfig inbound and outbound updates\n"
> "Send route-refresh unless using 'soft-reconfiguration inbound'\n")

I do not always exactly get this diff.

I would like to know, if this behaviour is intentional.

If it is not, I'm willing to help, if you think it worth.

I can send the way I am sorting the file now, if that helps.
Re: Reproducibility problem [ In reply to ]
Hi



On Fri, Jun 23, 2017 at 7:32 PM, Gábor Boskovits <boskovits@gmail.com>
wrote:

> Hello quagga!
>
> I'm trying to package quagga for guix.
>
> Package complies all right, test suite runs ok.
>
> The only problem seem, that the build is not reproducible.
>

Can you clarify on what you mean by build is not reproducible ?

>
> I managed narrow that down to that generating vtysh_cmd.c is not
> deterministic.
>
> At first I thought is is just an ordering issue.
>
> I checked the code, and it seems, that DEFSH function definitions can be
> freely moved around, and the order of install_elements seem not matter also.
>
> I wrote a simple post processor to get identical ordering.
>
> However after ordering the files are still different.
>
> Here is an example diff:
>
> gabriel@guixsd-test ~/quaqqa-sorter [env]$ diff cmd.c.sorted cmd.c.sorted2
> 1979,1989d1978
> < DEFSH (VTYSH_BGPD, clear_ip_bgp_all_vpnv4_soft_in_cmd_vtysh,
> < "clear ip bgp * vpnv4 unicast soft in",
> < "Reset functions\n"
> < "IP information\n"
> < "BGP information\n"
> < "Clear all peers\n"
> < "Address family\n"
> < "Address Family Modifier\n"
> < "Soft reconfig inbound and outbound updates\n"
> < "Send route-refresh unless using 'soft-reconfiguration
> inbound'\n")
> <
> 5023a5013,5022
> > DEFSH (VTYSH_BGPD, no_neighbor_attr_unchanged5_cmd_vtysh,
> > "no neighbor (A.B.C.D|X:X::X:X|WORD) " "attribute-unchanged
> as-path next-hop med",
> > "Negate a command or set its defaults\n"
> > "Specify neighbor router\n"
> > "Neighbor address\nNeighbor IPv6 address\nNeighbor tag\n"
> > "BGP attribute is propagated unchanged to this neighbor\n"
> > "As-path attribute\n"
> > "Nexthop attribute\n"
> > "Med attribute\n")
> >
> 13193,13201c13192,13201
> < DEFSH (VTYSH_BGPD, no_neighbor_attr_unchanged5_cmd_vtysh,
> < "no neighbor (A.B.C.D|X:X::X:X|WORD) " "attribute-unchanged
> as-path next-hop med",
> < "Negate a command or set its defaults\n"
> < "Specify neighbor router\n"
> < "Neighbor address\nNeighbor IPv6 address\nNeighbor tag\n"
> < "BGP attribute is propagated unchanged to this neighbor\n"
> < "As-path attribute\n"
> < "Nexthop attribute\n"
> < "Med attribute\n")
> ---
> > DEFSH (VTYSH_BGPD, clear_ip_bgp_all_vpnv4_soft_in_cmd_vtysh,
> > "clear ip bgp * vpnv4 unicast soft in",
> > "Reset functions\n"
> > "IP information\n"
> > "BGP information\n"
> > "Clear all peers\n"
> > "Address family\n"
> > "Address Family Modifier\n"
> > "Soft reconfig inbound and outbound updates\n"
> > "Send route-refresh unless using 'soft-reconfiguration
> inbound'\n")
>
> I do not always exactly get this diff.
>
> I would like to know, if this behaviour is intentional.
>
> If it is not, I'm willing to help, if you think it worth.
>
> I can send the way I am sorting the file now, if that helps.
>
>
> _______________________________________________
> Quagga-dev mailing list
> Quagga-dev@lists.quagga.net
> https://lists.quagga.net/mailman/listinfo/quagga-dev
>
Re: Reproducibility problem [ In reply to ]
Gábor Boskovits wrote:
> The only problem seem, that the build is not reproducible.
>
> I managed narrow that down to that generating vtysh_cmd.c is not
> deterministic.
>
> At first I thought is is just an ordering issue.

It's just an ordering issue. The reason for this behaviour is explained
here:

> http://perldoc.perl.org/perlsec.html#Algorithmic-Complexity-Attacks

If it bothers you, you can fix it by replacing all instances of "keys"
in vtysh/extract.pl by "sort keys".

Nick

_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
Re: Reproducibility problem [ In reply to ]
Ok, I have a patch for that.
It seems to work fine.

I added it to https://github.com/Boskovits/quagga.git
<https://github.com/Boskovits/quagga.git>on branch reproducible-build
<https://github.com/Boskovits/quagga/tree/reproducible-build>.

It just makes what Nick Hilliard suggested, replaces keys with sort keys.

It might increase build time, but the impact seem negligible.

The advantages are, that this way bit-by-bit reproducible binaries are
generated.

See https://reproducible-builds.org/ if further reference needed.

2017-06-23 20:46 GMT+02:00 Gábor Boskovits <boskovits@gmail.com>:

> Thanks, i have found out.
> We need this to provide substitues.
> I guess this won't go upstream, so I will maintain it separate.
>
>
> 2017-06-23 20:39 GMT+02:00 Nick Hilliard <nick@foobar.org>:
>
>> Gábor Boskovits wrote:
>> > The only problem seem, that the build is not reproducible.
>> >
>> > I managed narrow that down to that generating vtysh_cmd.c is not
>> > deterministic.
>> >
>> > At first I thought is is just an ordering issue.
>>
>> It's just an ordering issue. The reason for this behaviour is explained
>> here:
>>
>> > http://perldoc.perl.org/perlsec.html#Algorithmic-Complexity-Attacks
>>
>> If it bothers you, you can fix it by replacing all instances of "keys"
>> in vtysh/extract.pl by "sort keys".
>>
>> Nick
>>
>>
>