#1140645 procmail: please make the build reproducible

Package:
src:procmail
Source:
src:procmail
Submitter:
Jochen Sprickerhof
Date:
2026-06-25 19:11:02 UTC
Severity:
normal
Tags:
#1140645#5
Date:
2026-06-23 22:18:39 UTC
From:
To:
Hi Santiago,

procmail is currently not reproducible on reproduce.debian.net:

https://reproduce.debian.net/excuses.html?source_name=procmail

The problem is that it uses Rules-Requires-Root: binary-targets and with
that fakeroot and that influences the build result. As the fakeroot
package is not recorded in the buildinfo file, we can't use it during
the rebuild and the generated binaries differ. binary-targets is only
needed for dh_fixperms in debian/rules and a better way is to use
debputy to adopt the owner and permissions in the generated package.
Please find attached a patch for procmail to do that and make it
reproducible. Note that it also makes three example shell scripts
executable, I think that makes sense:

│ │ │ --rw-r--r--   0 root         (0) root         (0)      404 1996-12-21 03:28:15.000000 ./usr/share/doc/procmail/examples/1rmail
│ │ │ +-rwxr-xr-x   0 root         (0) root         (0)      404 1996-12-21 03:28:15.000000 ./usr/share/doc/procmail/examples/1rmail
│ │ │  -rw-r--r--   0 root         (0) root         (0)     1989 1994-05-26 13:46:40.000000 ./usr/share/doc/procmail/examples/2procmailrc
│ │ │ --rw-r--r--   0 root         (0) root         (0)      396 1996-12-21 03:28:15.000000 ./usr/share/doc/procmail/examples/2rmail
│ │ │ +-rwxr-xr-x   0 root         (0) root         (0)      396 1996-12-21 03:28:15.000000 ./usr/share/doc/procmail/examples/2rmail
│ │ │  -rw-r--r--   0 root         (0) root         (0)     1533 1994-05-26 13:46:41.000000 ./usr/share/doc/procmail/examples/3procmailrc
│ │ │ --rw-r--r--   0 root         (0) root         (0)      761 1996-12-21 03:28:15.000000 ./usr/share/doc/procmail/examples/3rmail
│ │ │ +-rwxr-xr-x   0 root         (0) root         (0)      761 1996-12-21 03:28:15.000000 ./usr/share/doc/procmail/examples/3rmail

Please say if you disagree and I can work on a patch to recover the old
behaviour.

Could you please apply the attached patch and upload a new revision?

Thanks!

Jochen

#1140645#10
Date:
2026-06-23 23:29:08 UTC
From:
To:
I disagree with the premise that the package needs to be changed
because of the way reproduce.debian.net is currently implemented.

Let me answer one thing at a time:

Well, maybe it should and the bug is somewhere else (for example,
whatever program is creating the buildinfo file).

Well, maybe you should use it during the rebuild even if it's not in
the buildinfo file. It looks like this should be done in general for
every package having a Rules-Requires-Root different than no.

The package was built using sbuild, and sbuild installs fakeroot when
building the package, so it could be argued that you are not really
trying to reproduce the package correctly if you omit fakeroot.

which I believe it's a completely legitimate usage of it.

Well, "better" depending on how you look at it. Instead of a simple
debian/rules now I am supposed to include a fully structured file with
a lot more lines to do essentially the same.

Sorry, but I don't like this. I think the problem should be fixed at
its source, not in the individual packages.

Thanks.

#1140645#15
Date:
2026-06-24 11:14:09 UTC
From:
To:
Hi Santiago,

* Santiago Vila <sanvila@debian.org> [2026-06-24 01:29]:

That would be dpkg-genbuildinfo from dpkg-dev. Back when we started with
reproduce.d.n I discussed this and similar options with others and we
agreed that fakeroot is an implementation detail and not a build
dependency of the package. Also there is ongoing work to remove the
fakeroot usage in the archive completely.

The problem is that we don't know which version of the fakeroot package
was used during the build. There where proposals to guess the likely
version by the build date or scrape it from the buildd log but it would
mean more hacks. And looking at #1114644 that a bookworm fakeroot does
not work on a trixie kernel that may not even be enough...
is set. Looking at

https://codesearch.debian.net/search?q=Rules-Requires-Root%3A+binary-targets+path%3Adebian%2Fcontrol

There are less then 250 packages left with R³: binary-targets and up to
now I only found three where it is likely the cause of being not
reproducible (investigating right now). Around 15 do not reproduce due
to other reasons, like timestamps in manpages, and the rest reproduces
just fine.

Not sure I understand the "a lot more lines" argument but the patch
itself is 4 lines more then the old code. Do you mean that you also
gain a dependency on dh-debputy? If so please note that there was an
implicitly dependency on fakeroot before and that it carries way more
complexity. For example it shadows the filesystem to track the chown and
chmod calls. Also fakeroot has quiet a history of needing adoptions for
new kernel releases, so I think debputy is better then fakeroot here.

Cheers Jochen

#1140645#20
Date:
2026-06-25 18:03:49 UTC
From:
To:
If the presence of fakeroot may affect the end result, it would seem
natural that it should be recorded in the buildinfo file.

I could agree about the fact that it's not a build-dependency in
strict sense, so maybe it's ok that it's not in the
Installed-Build-Depends field of the buildinfo file, but if it's not
there maybe it should be somewhere else.

Even a "Fakeroot-Version:" field would be (or "would have been",
depending on we look at it...) better than nothing.

My feeling is that we are mixing things that should be independent and
handled separately.

For example, the proposed patch (which I will probably accept before
the freeze of forky), says "This makes the package reproducible".

That's probably not a fair way to explain the issue. Most probably the
package was indeed reproducible, but the infrastructure "forgot" to
record essential information to actually reproduce it.

(Side note: Maybe I will just change the comment in the patch to
something like "The package may now be reproduced by
reproduce.debian.net").

Ok, I admit that I did not think about that.

Let's assume that we can't guess the fakeroot version of a package
which was already built.

Could not we at least start recording the fakeroot version so that
from now on packages that rightfully use it may be reproduced?

That way a simple rebuild (which could be even a binNMU) would
suddenly make the package reproducible again.

(I fear that I know what your reply to this could be: We would
be adding such field to be used by only a handful of packages,
which could be switched to debputy anyway. Did I guess right? :-)

Well, as a workaround, we can agree that packages in bookworm should be
built in bookworm.
and sbuild installed fakeroot after detecting that it was required for
the build of this specific package.

Does this mean that getting rid of fakeroot is not really a
pre-requisite for achieving reproducible-builds?

If yes: What special feature does procmail have that makes its usage
of fakeroot troublesome regarding reproducibility, at the same time
other packages using fakeroot are reproducible?

Even if the proposed patch is ok and most probably I will apply for
forky, I'm really curious about this. I would feel better if I know
the reasons we do thing the way we do.

Thanks.

#1140645#25
Date:
2026-06-25 19:09:54 UTC
From:
To:
* Santiago Vila <sanvila@debian.org> [2026-06-25 20:03]:

Yes.

I don't know.

Cheers Jochen