#1138608 - grub2: reproducible builds: non-deterministic ordering in lintian overrides (original) (raw)

Reply or subscribe to this bug.

Display info messages

Report forwardedto debian-bugs-dist@lists.debian.org, GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net> (src:grub2 for {1138608}), Vagrant Cascadian <vagrant@debian.org> (additional cc recipient for {1138608}):
Bug#1138608; Package src:grub2. (Mon, 01 Jun 2026 04:07:02 GMT) (full text, mbox, link).

Acknowledgement sentto Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to vagrant@debian.org, pkg-grub-devel@alioth-lists.debian.net. (Mon, 01 Jun 2026 04:07:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Source: grub2 Severity: normal Tags: patch User: reproducible-builds@lists.alioth.debian.org Usertags: randomness X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Both grub-xen-dbg and grub-xen-bin generate their lintian overrides from debian/rules using find, which may return results in a non-deterministic order:

https://reproduce.debian.net/amd64/api/v1/builds/153376/artifacts/383903/diffoscope https://reproduce.debian.net/amd64/api/v1/builds/153376/artifacts/383902/diffoscope

The attached patch sorts each of the find calls used to generate the lintian overrides, which should result in a deterministic ordering... at least if the locale is consistent (which it should be with buildd.debian.org vs. reproduce.debian.net)... the proposed fix for https://bugs.debian.org/991928 might also help with varying locales.

This does not resolve all reproducibility issues in grub2 (there are a few other bugs with patches filed that will partly help), but it should at least fix those two packages!

live well, vagrant

[0001-debian-rules-Sort-calls-to-find-when-generating-lint.patch (text/x-diff, inline)]

From 10c89cf6eaa747211aae7f01409ef7753a9393ec Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian vagrant@reproducible-builds.org Date: Sun, 31 May 2026 20:34:47 -0700 Subject: [PATCH] debian/rules: Sort calls to find when generating lintian overrides. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit

The results of the find command may return files in non-deterministic order. for example, running diffoscope on two builds of the same package:

--- /srv/rebuilderd/tmp/rebuilderdLk2QMC/inputs/grub-xen-bin_2.14-2_amd64.deb +++ /srv/rebuilderd/tmp/rebuilderdLk2QMC/out/grub-xen-bin_2.14-2_amd64.deb ... │ │ ├── ./usr/share/lintian/overrides/grub-xen-bin │ │ │┄ Ordering differences only │ │ │ @@ -1,22 +1,22 @@ │ │ │ grub-xen-bin: unstripped-binary-or-object **.mod* │ │ │ +grub-xen-bin: statically-linked-binary usr/lib/grub/i386-xen/kernel.img │ │ │ grub-xen-bin: statically-linked-binary usr/lib/grub/i386-xen_pvh/kernel.img │ │ │ grub-xen-bin: statically-linked-binary usr/lib/grub/x86_64-xen/kernel.img │ │ │ -grub-xen-bin: statically-linked-binary usr/lib/grub/i386-xen/kernel.img ... │ │ │ +grub-xen-bin: binary-from-other-architecture usr/lib/grub/i386-xen/kernel.img │ │ │ grub-xen-bin: binary-from-other-architecture usr/lib/grub/i386-xen_pvh/kernel.img │ │ │ grub-xen-bin: binary-from-other-architecture usr/lib/grub/x86_64-xen/kernel.img │ │ │ -grub-xen-bin: binary-from-other-architecture usr/lib/grub/i386-xen/kernel.img

debian/rules | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/debian/rules b/debian/rules index e7cefe635..184e8dde8 100755 --- a/debian/rules +++ b/debian/rules @@ -439,10 +439,10 @@ install/grub-pc install/grub-efi-ia32 install/grub-efi-amd64 install/grub-efi-ar mkdir -p debian/$(package_bin)/usr/share/lintian/overrides echo "$(package_bin): unstripped-binary-or-object [.mod]"
>> debian/$(package_bin)/usr/share/lintian/overrides/$(package_bin) - cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img
+ cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img | sort
| sed -e "s%.%$(package_bin): statically-linked-binary [&]%g"
>> (CURDIR)/debian/(CURDIR)/debian/(CURDIR)/debian/(package_bin)/usr/share/lintian/overrides/$(package_bin) - cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img
+ cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img | sort
| sed -e "s%.%$(package_bin): unstripped-binary-or-object [&]%g"
>> (CURDIR)/debian/(CURDIR)/debian/(CURDIR)/debian/(package_bin)/usr/share/lintian/overrides/$(package_bin) if ([ "$@" = "install/grub-efi-amd64" ] && [ "$(DEB_HOST_ARCH_CPU)" = "i386" ]) ||
@@ -482,7 +482,7 @@ install/grub-pc install/grub-efi-ia32 install/grub-efi-amd64 install/grub-efi-ar >> debian/$(package_dbg)/usr/share/lintian/overrides/$(package_dbg) echo "$(package_dbg): statically-linked-binary [.image]"
>> debian/$(package_dbg)/usr/share/lintian/overrides/$(package_dbg) - cd debian/tmp-$(package) && find usr/lib/grub -name kernel.exec
+ cd debian/tmp-$(package) && find usr/lib/grub -name kernel.exec | sort
| sed -e "s%.%$(package_dbg): statically-linked-binary [&]%g"
>> (CURDIR)/debian/(CURDIR)/debian/(CURDIR)/debian/(package_dbg)/usr/share/lintian/overrides/$(package_dbg) if ([ "$@" = "install/grub-efi-amd64" ] && [ "$(DEB_HOST_ARCH_CPU)" = "i386" ]) ||
@@ -490,7 +490,7 @@ install/grub-pc install/grub-efi-ia32 install/grub-efi-amd64 install/grub-efi-ar [ "$@" = "install/grub-xen" ] ; then
echo "$(package_dbg): binary-from-other-architecture [.module]"
>> debian/$(package_dbg)/usr/share/lintian/overrides/$(package_dbg) ;
- cd debian/tmp-$(package) && find usr/lib/grub -name kernel.exec
+ cd debian/tmp-$(package) && find usr/lib/grub -name kernel.exec | sort
| sed -e "s%.*%$(package_dbg): binary-from-other-architecture [&]%g"
>> (CURDIR)/debian/(CURDIR)/debian/(CURDIR)/debian/(package_dbg)/usr/share/lintian/overrides/$(package_dbg) ;
fi

2.47.3

[signature.asc (application/pgp-signature, inline)]

Information forwardedto debian-bugs-dist@lists.debian.org, GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net> (src:grub2 for {1138608}):
Bug#1138608; Package src:grub2. (Mon, 01 Jun 2026 20:23:01 GMT) (full text, mbox, link).

Acknowledgement sentto Vagrant Cascadian <vagrant@reproducible-builds.org>:
Extra info received and forwarded to list. Copy sent to pkg-grub-devel@alioth-lists.debian.net. (Mon, 01 Jun 2026 20:23:01 GMT) (full text, mbox, link).

Message #10 received at 1138608@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On 2026-05-31, Vagrant Cascadian wrote:

Both grub-xen-dbg and grub-xen-bin generate their lintian overrides from debian/rules using find, which may return results in a non-deterministic order:

https://reproduce.debian.net/amd64/api/v1/builds/153376/artifacts/383903/diffoscope https://reproduce.debian.net/amd64/api/v1/builds/153376/artifacts/383902/diffoscope

The attached patch sorts each of the find calls used to generate the lintian overrides, which should result in a deterministic ordering... at least if the locale is consistent

Missed one that did not appear to be an issue, but that might just be due to luck (or there are not multiple?):

--- a/debian/rules +++ b/debian/rules @@ -452,7 +452,7 @@ install/grub-pc install/grub-efi-ia32 install/grub-efi-amd64 install/grub-efi-ar [ "$@" = "install/grub-xen" ]; then
echo "$(package_bin): binary-from-other-architecture [*.mod]"
>> debian/$(package_bin)/usr/share/lintian/overrides/$(package_bin) ; \

•           cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img \

•           cd debian/tmp-$(package) && find usr/lib/grub -name kernel.img | sort \
                    | sed -e "s%.*%$(package_bin): binary-from-other-architecture [&]%g" \
            >> <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mo stretchy="false">(</mo><mi>C</mi><mi>U</mi><mi>R</mi><mi>D</mi><mi>I</mi><mi>R</mi><mo stretchy="false">)</mo><mi mathvariant="normal">/</mi><mi>d</mi><mi>e</mi><mi>b</mi><mi>i</mi><mi>a</mi><mi>n</mi><mi mathvariant="normal">/</mi></mrow><annotation encoding="application/x-tex">(CURDIR)/debian/</annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mopen">(</span><span class="mord mathnormal" style="margin-right:0.07153em;">C</span><span class="mord mathnormal" style="margin-right:0.10903em;">U</span><span class="mord mathnormal" style="margin-right:0.00773em;">R</span><span class="mord mathnormal" style="margin-right:0.02778em;">D</span><span class="mord mathnormal" style="margin-right:0.07847em;">I</span><span class="mord mathnormal" style="margin-right:0.00773em;">R</span><span class="mclose">)</span><span class="mord">/</span><span class="mord mathnormal">d</span><span class="mord mathnormal">e</span><span class="mord mathnormal">bian</span><span class="mord">/</span></span></span></span>(package_bin)/usr/share/lintian/overrides/$(package_bin) ; \
    fi

live well, vagrant

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified:Wed Jun 17 17:55:13 2026; Machine Name:berlioz

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.