Bug 1143905

Summary: fwupd does not build reproducibly with LTO
Product: [openSUSE] openSUSE Tumbleweed Reporter: Bernhard Wiedemann <bwiedemann>
Component: DevelopmentAssignee: Gary Ching-Pang Lin <glin>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: dleuenberger, martin.liska
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE Factory   
See Also: https://github.com/hughsie/fwupd/issues/1298
Found By: Development Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1081754    

Description Bernhard Wiedemann 2019-08-02 04:53:43 UTC
This is because meson.build 
calls fu-hash.py src/libfwupdprivate.a

and .a files contain unreproducible LTO data now.

this produces a fu-hash.h file with a nondeterministic

that gets embedded in various binaries.

unrelated to this there are still deviations from
Comment 1 Bernhard Wiedemann 2019-08-02 04:56:13 UTC
oops, link at the end was meant to be
Comment 2 Gary Ching-Pang Lin 2019-08-02 07:09:34 UTC
fwupd uses FU_BUILD_HASH to determine if the plugin is built with the daemon or not. I'll check if there is any better target to generate the hash.
Comment 3 Gary Ching-Pang Lin 2019-08-21 03:47:13 UTC
It's hard to replace libfwupdprivate.a. A workaround would be to add a never used libfwupdprivate.so and hash the so file, but it's unlikely to be upstreamed...
Comment 4 Bernhard Wiedemann 2019-08-21 10:52:28 UTC
Maybe you could strip LTO stuff from the .a before hashing with a call like
Comment 5 Gary Ching-Pang Lin 2019-08-22 06:26:28 UTC
Stripping .o files sounds a feasible solution. Will work on that.
Comment 6 Gary Ching-Pang Lin 2019-08-26 01:55:59 UTC
Upstream tweaks the hash script to calculate the source files instead of the static library.
Comment 7 Martin Liška 2019-08-26 06:29:30 UTC
(In reply to Gary Ching-Pang Lin from comment #6)
> https://github.com/fwupd/fwupd/commit/
> 5611fd0581b1c28de97321daefae798a78f475b8
> Upstream tweaks the hash script to calculate the source files instead of the
> static library.

Comment 8 Gary Ching-Pang Lin 2019-08-27 03:57:08 UTC
Submitted the patch sr#726084
Closing this bug.