Notes for php7.0 - reproducible builds result

Version annotated: 7.0.4-6
Identified issues:
Identifier: user_hostname_manually_added_requiring_further_investigation
Description Packages which intentionally capture the username or hostname into a custom format,
but aren't obviously using any tool or system which has this as a core issue.
Interesting because they could be fixed by fixing these things at build time.
Identifier: captures_home_dir
Description Captures home directory, e.g., first-build v. second-build.
Identifier: captures_kernel_version
Description Stores the kernel version (uname -a, /proc/version, etc.) output, normally for debugging purposes.
.
Sub-issue: captures_kernel_version_via_CMAKE_SYSTEM
Identifier: captures_users_gecos
Description Captures user's GECOS, e.g., second room. . Sub-issue texi2html_captures_users_gecos
Identifier: leaks_path_environment_variable
Description The environment variable PATH is embedded in the build result.
Sometimes it's just leaked into some file (so "just" causing reproducibility issues), while sometimes this PATH is also used for building, which might give unexpected and broken results.
Identifier: records_build_flags
Description Records $CFLAGS, which vary intentionally due to the «-fdebug-prefix-map=${BUILDPATH}=.»,
«-ffile-prefix-map=${BUILDPATH}=.» or «-fmacro-prefix-map=${BUILDPATH}=.» flags.
.
We have a patch pending to GCC to fix this issue centrally:
.
https://gcc.gnu.org/ml/gcc-patches/2016-11/msg00182.html
.
Though the patch is currently unlikely to be merged. If/when this
is accepted, this issue should be fixed for all packages and you
should not need to fix it specifically in your package.
.
There is also a work-in-progress patch to dpkg that could address this issue:
.
https://bugs.debian.org/985553
.
For more background information see:
.
• https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20160822/006788.html
• https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20160905/006984.html
• https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20160912/007076.html
Comments: dtrace generates C source files in a random temporary location.
https://sources.debian.net/src/systemtap/2.9-3/dtrace.in/#L413
https://sources.debian.net/src/php7.0/7.0.4-6/acinclude.m4/?hl=2993,2998#L2993
This temporary filename leaks into debug information and causes a build id variation.
 

Our notes about issues affecting packages are stored in notes.git and are targeted at packages in Debian in 'unstable/amd64' (unless they say otherwise).