Reproducible build fails due to a missing dependency
Giszmo opened this issue · 1 comments
Following the reproducible build instructions, I run into a missing dependency openjdk-8-jdk-headless=8u302-b08-1~deb9u1:
$ mkdir ~/tmp
$ cd ~/tmp/
$ git clone https://github.com/shesek/spark-wallet && cd spark-wallet
$ git checkout v0.3.1
HEAD is now at 4ffb929 v0.3.1
...
Step 14/35 : RUN apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1 && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update
---> Running in a098df6b197f
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Hit:5 https://dl.winehq.org/wine-builds/debian bullseye InRelease
Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [748 kB]
Get:7 http://security.debian.org/debian-security stretch/updates/main i386 Packages [748 kB]
Fetched 1549 kB in 1s (1847 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
E: Version '8u302-b08-1~deb9u1' for 'openjdk-8-jdk-headless' was not found
The command '/bin/sh -c apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1 && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update' returned a non-zero code: 100
I'm publishing my findings on WalletScrutiny and would love to soon list this app – particularly Android – as reproducible.
The build failures can be fixed easily manually by removing the version strings that cause failures in time of check, like:
sed -i 's/winehq-stable=6.0.2~bullseye-1/winehq-stable/g' ./scripts/builder.Dockerfile;
sed -i 's/openjdk-8-jdk-headless=8u302-b08-1~deb9u1/openjdk-8-jdk-headless/g' ./scripts/builder.Dockerfile;and then call the container build command:
podman build --rm -f scripts/builder.Dockerfile -t spark-builder031 .
mkdir docker-builds
podman run --rm --cap-add SYS_ADMIN --device /dev/fuse --security-opt apparmor:unconfined -it -v `pwd`/docker-builds:/target:Z,rw spark-builder which will build debug apk, for creating release apk the RB instructions at:
https://github.com/shesek/spark-wallet/blob/8b66e1df830f9e6c1bb8eab874103a509028ca60/doc/reproducible-builds.md#reproduce-with-docker
should be updated as it's require more steps that are not documented, like creating the spark-signing-keys directory.
spark-wallet/scripts/release.sh
Lines 22 to 23 in 112fd9b
latest commit in repo is for not released version 0.3.2-rc, for the upcoming version the suggestions regarding RB are:
-
update rb documentation on building release apk (creating content of
spark-signing-keysdirectroy) -
use
SOURCE_DATE_EPOCHenv var https://reproducible-builds.org/docs/source-date-epoch/
using it might allow to git rid of faketime usage in (if faketime is still needed a bug upstream for the affected component should be opened to support SOURCE_DATE_EPOCH):
spark-wallet/electron/build.sh
Lines 32 to 38 in b35d317
- update all deps as it likely 1 of them is to blame for RB failure, and do RB test locally on latest commit.