[quagga-dev 16626] Reproducibility problem

Discussion:

Gábor Boskovits

2017-06-23 14:02:06 UTC

Hello quagga!

I'm trying to package quagga for guix.

Package complies all right, test suite runs ok.

The only problem seem, that the build is not reproducible.

I managed narrow that down to that generating vtysh_cmd.c is not
deterministic.

At first I thought is is just an ordering issue.

I checked the code, and it seems, that DEFSH function definitions can be
freely moved around, and the order of install_elements seem not matter also.

I wrote a simple post processor to get identical ordering.

However after ordering the files are still different.

Here is an example diff:

***@guixsd-test ~/quaqqa-sorter [env]$ diff cmd.c.sorted cmd.c.sorted2
1979,1989d1978
< DEFSH (VTYSH_BGPD, clear_ip_bgp_all_vpnv4_soft_in_cmd_vtysh,
< "clear ip bgp * vpnv4 unicast soft in",
< "Reset functions\n"
< "IP information\n"
< "BGP information\n"
< "Clear all peers\n"
< "Address family\n"
< "Address Family Modifier\n"
< "Soft reconfig inbound and outbound updates\n"
< "Send route-refresh unless using 'soft-reconfiguration inbound'\n")
<
5023a5013,5022

DEFSH (VTYSH_BGPD, no_neighbor_attr_unchanged5_cmd_vtysh,
"no neighbor (A.B.C.D|X:X::X:X|WORD) " "attribute-unchanged

as-path next-hop med",

"Negate a command or set its defaults\n"
"Specify neighbor router\n"
"Neighbor address\nNeighbor IPv6 address\nNeighbor tag\n"
"BGP attribute is propagated unchanged to this neighbor\n"
"As-path attribute\n"
"Nexthop attribute\n"
"Med attribute\n")

13193,13201c13192,13201
< DEFSH (VTYSH_BGPD, no_neighbor_attr_unchanged5_cmd_vtysh,
< "no neighbor (A.B.C.D|X:X::X:X|WORD) " "attribute-unchanged
as-path next-hop med",
< "Negate a command or set its defaults\n"
< "Specify neighbor router\n"
< "Neighbor address\nNeighbor IPv6 address\nNeighbor tag\n"
< "BGP attribute is propagated unchanged to this neighbor\n"
< "As-path attribute\n"
< "Nexthop attribute\n"
< "Med attribute\n")
---

DEFSH (VTYSH_BGPD, clear_ip_bgp_all_vpnv4_soft_in_cmd_vtysh,
"clear ip bgp * vpnv4 unicast soft in",
"Reset functions\n"
"IP information\n"
"BGP information\n"
"Clear all peers\n"
"Address family\n"
"Address Family Modifier\n"
"Soft reconfig inbound and outbound updates\n"
"Send route-refresh unless using 'soft-reconfiguration inbound'\n")

I do not always exactly get this diff.

I would like to know, if this behaviour is intentional.

If it is not, I'm willing to help, if you think it worth.

I can send the way I am sorting the file now, if that helps.

Balaji Gurudoss

2017-06-23 16:39:33 UTC

Permalink

Post by GÃ¡bor Boskovits
Hello quagga!
I'm trying to package quagga for guix.
Package complies all right, test suite runs ok.
The only problem seem, that the build is not reproducible.

Can you clarify on what you mean by build is not reproducible ?

Post by GÃ¡bor Boskovits
I managed narrow that down to that generating vtysh_cmd.c is not
deterministic.
At first I thought is is just an ordering issue.
I checked the code, and it seems, that DEFSH function definitions can be
freely moved around, and the order of install_elements seem not matter also.
I wrote a simple post processor to get identical ordering.
However after ordering the files are still different.
1979,1989d1978
< DEFSH (VTYSH_BGPD, clear_ip_bgp_all_vpnv4_soft_in_cmd_vtysh,
< "clear ip bgp * vpnv4 unicast soft in",
< "Reset functions\n"
< "IP information\n"
< "BGP information\n"
< "Clear all peers\n"
< "Address family\n"
< "Address Family Modifier\n"
< "Soft reconfig inbound and outbound updates\n"
< "Send route-refresh unless using 'soft-reconfiguration inbound'\n")
<
5023a5013,5022

DEFSH (VTYSH_BGPD, no_neighbor_attr_unchanged5_cmd_vtysh,
"no neighbor (A.B.C.D|X:X::X:X|WORD) " "attribute-unchanged

as-path next-hop med",

inbound'\n")
I do not always exactly get this diff.
I would like to know, if this behaviour is intentional.
If it is not, I'm willing to help, if you think it worth.
I can send the way I am sorting the file now, if that helps.
_______________________________________________
Quagga-dev mailing list
https://lists.quagga.net/mailman/listinfo/quagga-dev

Nick Hilliard

2017-06-23 18:39:01 UTC

Permalink

Post by GÃ¡bor Boskovits
The only problem seem, that the build is not reproducible.
I managed narrow that down to that generating vtysh_cmd.c is not
deterministic.
At first I thought is is just an ordering issue.

It's just an ordering issue. The reason for this behaviour is explained

Post by GÃ¡bor Boskovits
http://perldoc.perl.org/perlsec.html#Algorithmic-Complexity-Attacks

If it bothers you, you can fix it by replacing all instances of "keys"
in vtysh/extract.pl by "sort keys".

Nick

Gábor Boskovits

2017-06-24 11:38:42 UTC

Permalink

Ok, I have a patch for that.
It seems to work fine.

I added it to https://github.com/Boskovits/quagga.git
<https://github.com/Boskovits/quagga.git>on branch reproducible-build
<https://github.com/Boskovits/quagga/tree/reproducible-build>.

It just makes what Nick Hilliard suggested, replaces keys with sort keys.

It might increase build time, but the impact seem negligible.

The advantages are, that this way bit-by-bit reproducible binaries are
generated.

See https://reproducible-builds.org/ if further reference needed.

Thanks, i have found out.
We need this to provide substitues.
I guess this won't go upstream, so I will maintain it separate.

Post by Nick Hilliard

It's just an ordering issue. The reason for this behaviour is explained

Post by GÃ¡bor Boskovits
http://perldoc.perl.org/perlsec.html#Algorithmic-Complexity-Attacks

If it bothers you, you can fix it by replacing all instances of "keys"
in vtysh/extract.pl by "sort keys".
Nick