Notes for python3.9 - reproducible builds result

Version annotated: 3.9.7-2
Identified issues:
Identifier: captures_build_path
Description Captures build path, e.g., /build/1st/foo-42.0 v. /build/foo-42.0/2nd
.
Until early 2024 we varied the build path when testing packages from unstable
and experimental, which we have stopped doing now as the build path is recorded
as part of the environment and thus can be used when rebuilding.
.
This issue is kept here for the time being.
.
This issue is only for miscellaneous issues which need individual fixes,
please create new issues for specific issues, e.g. gcc_captures_build_path.
.
Here follows some general tips for packages using the standard GNU toolchain:
.
If using autoconf, make sure you call ./configure via a relative and not absolute path.
.
If your issue is related to using the `__FILE__` macro, or the recording of
--debug-prefix-map flags in non-GCC non-debugging output, this is what is
fixed by our patch mentioned above; you should not need to fix it
specifically in your package.
.
For more background information see:
.
• https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20160822/006788.html
• https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20160905/006984.html
• https://alioth-lists.debian.net/pipermail/reproducible-builds/Week-of-Mon-20160912/007076.html
Identifier: blacklisted_on_jenkins_armhf_only
Description Some packages have been blacklisted only on armhf in our test infrastructure
because their builds take too long on the tiny armhf boards we're using.
The mitigation against this is to add more architectures or to wait until
we test against the debian archive, when it will become sensible to raise
the 18h timeout for a single build.
Until his happens, please rely on the amd64, i386 and arm64 tests.
Comments: Profile-guided optimization or LTO produces non-determinism.
Workaround: build with DEB_BUILD_OPTIONS="noopt" when testing for
other sources of non-reproducibility.

The build path is captured in many places. Workaround: don't vary it
when testing for other sources of non-reproducibility.

usr/share/info/python3.9.info.gz contains something that varies:

010696c0: 3a20 3337 3135 7f31 3532 3438 3931 370a : 3715.15248917.
-010696d0: 5265 663a 2033 3731 347f 3135 3234 3839 Ref: 3714.152489
-010696e0: 3438 0a52 6566 3a20 7573 696e 672f 636d 48.Ref: using/cm
-010696f0: 646c 696e 6520 6175 6469 745f 6576 656e dline audit_even
-01069700: 745f 6370 7974 686f 6e5f 7275 6e5f 6669 t_cpython_run_fi
-01069710: 6c65 5f30 7f31 3532 3438 3937 390a 1f0a le_0.15248979...
+010696d0: 5265 663a 2075 7369 6e67 2f63 6d64 6c69 Ref: using/cmdli
+010696e0: 6e65 2061 7564 6974 5f65 7665 6e74 5f63 ne audit_event_c
+010696f0: 7079 7468 6f6e 5f72 756e 5f66 696c 655f python_run_file_
+01069700: 307f 3135 3234 3839 3438 0a52 6566 3a20 0.15248948.Ref:
+01069710: 3337 3134 7f31 3532 3438 3937 390a 1f0a 3714.15248979...
01069720: 456e 6420 5461 6720 5461 626c 650a 0a1f End Tag Table...
 

Our notes about issues affecting packages are stored in notes.git and are targeted at packages in Debian in 'unstable/amd64' (unless they say otherwise).