Reproducible build fails due to a missing dependency

[Giszmo]

Following the reproducible build instructions, I run into a missing dependency openjdk-8-jdk-headless=8u302-b08-1~deb9u1:

$ mkdir ~/tmp
$ cd ~/tmp/
$ git clone https://github.com/shesek/spark-wallet && cd spark-wallet
$ git checkout v0.3.1 
HEAD is now at 4ffb929 v0.3.1
...
Step 14/35 : RUN apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update   && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1   && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update
 ---> Running in a098df6b197f
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Hit:5 https://dl.winehq.org/wine-builds/debian bullseye InRelease
Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [748 kB]
Get:7 http://security.debian.org/debian-security stretch/updates/main i386 Packages [748 kB]
Fetched 1549 kB in 1s (1847 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
E: Version '8u302-b08-1~deb9u1' for 'openjdk-8-jdk-headless' was not found
The command '/bin/sh -c apt-add-repository 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update   && apt-get install -y --no-install-recommends openjdk-8-jdk-headless=8u302-b08-1~deb9u1   && apt-add-repository --remove 'deb http://security.debian.org/debian-security stretch/updates main' && apt-get update' returned a non-zero code: 100

I'm publishing my findings on WalletScrutiny and would love to soon list this app – particularly Android – as reproducible.

[emanuelb]

The build failures can be fixed easily manually by removing the version strings that cause failures in time of check, like:

sed -i 's/winehq-stable=6.0.2~bullseye-1/winehq-stable/g' ./scripts/builder.Dockerfile;
sed -i 's/openjdk-8-jdk-headless=8u302-b08-1~deb9u1/openjdk-8-jdk-headless/g' ./scripts/builder.Dockerfile;

and then call the container build command:

podman build --rm -f scripts/builder.Dockerfile -t spark-builder031 .
mkdir docker-builds
podman run --rm --cap-add SYS_ADMIN --device /dev/fuse --security-opt apparmor:unconfined -it -v `pwd`/docker-builds:/target:Z,rw spark-builder 

which will build debug apk, for creating release apk the RB instructions at:
https://github.com/shesek/spark-wallet/blob/8b66e1df830f9e6c1bb8eab874103a509028ca60/doc/reproducible-builds.md#reproduce-with-docker

should be updated as it's require more steps that are not documented, like creating the spark-signing-keys directory.

spark-wallet/scripts/release.sh

Lines 22 to 23 in 112fd9b

	# Try loading Android signing keys
	[[ -z "$ANDROID_RELEASE_CONFIG" && -f ../spark-signing-keys/build.json ]] && ANDROID_KEYS=`pwd`/../spark-signing-keys

latest commit in repo is for not released version 0.3.2-rc, for the upcoming version the suggestions regarding RB are:

1. update rb documentation on building release apk (creating content of spark-signing-keys directroy)

2. use SOURCE_DATE_EPOCH env var https://reproducible-builds.org/docs/source-date-epoch/

using it might allow to git rid of faketime usage in (if faketime is still needed a bug upstream for the affected component should be opened to support SOURCE_DATE_EPOCH):

spark-wallet/electron/build.sh

Lines 32 to 38 in b35d317

	# Use faketime (if available) to make reproducible electron builds (works for all builds except deb and the Windows portable runner)
	: ${LIBFAKETIME:=/usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1}
	if [ -f "$LIBFAKETIME" ]; then
	# Set a start timestamp and make the clock move *very* slowly. The build
	# should finish in under 1 second with this speed.
	export LD_PRELOAD=$LIBFAKETIME FAKETIME="@2017-11-08 16:58:41 x0.0000001"
	fi

spark-wallet/scripts/builder.Dockerfile

Line 9 in bd89399

faketime=0.9.8-9 fuse=2.9.9-5 disorderfs=0.5.11-1

3. update all deps as it likely 1 of them is to blame for RB failure, and do RB test locally on latest commit.