Anders Kaseorg
2017-09-02 05:52:43 UTC
For the Debian Reproducible Builds effort, I’ve been debugging the
nondeterministic behavior of pdftex when invoked by dblatex. I think the
last remaining issue involves the PDF ID field, which pdftex generates by
hashing the current time and the full path to the input file (function
printID). Previous discussion
(https://tug.org/pipermail/pdftex/2015-May/008940.html,
https://tug.org/pipermail/pdftex/2015-July/008952.html) has led to support
for the SOURCE_DATE_EPOCH environment variable, which nicely controls the
time nondeterminism. This leaves the output depending on the input path.
For many packages that’s sufficient as Debian does not (yet?) require
determinism under build path variation in its definition of
reproducibility. However, dblatex invokes pdflatex on generated input
within a randomly named temporary directory. That makes it hard for
packages using dblatex to build reproducibly, even when the main build
path is fixed, without resorting to per-package patches to remove the ID
field.
Earlier it was mentioned that the algorithm used by pdftex’s printID was
inspired by the section “File Identifiers” in the PDF Reference, which
suggests hashing the time, pathname, file size, and document information
dictionary. However, a note in an appendix makes it clear that the
particular algorithm is unimportant:
“Note that the calculation of the file identifier need not be
reproducible; all that matters is that the identifier is likely to be
unique. For example, two implementations of this algorithm might use
different formats for the current time, causing them to produce different
file identifiers for the same file created at the same time, but the
uniqueness of the identifier is not affected.”
(https://wwwimages.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf,
Appendix H, implementation note 163)
With that in mind, could printID be changed to avoid depending on the
current directory name, either by default, or if the default won’t be
changed, then perhaps just when a reproducible build has been requested
via the presence of SOURCE_DATE_EPOCH?
Anders
nondeterministic behavior of pdftex when invoked by dblatex. I think the
last remaining issue involves the PDF ID field, which pdftex generates by
hashing the current time and the full path to the input file (function
printID). Previous discussion
(https://tug.org/pipermail/pdftex/2015-May/008940.html,
https://tug.org/pipermail/pdftex/2015-July/008952.html) has led to support
for the SOURCE_DATE_EPOCH environment variable, which nicely controls the
time nondeterminism. This leaves the output depending on the input path.
For many packages that’s sufficient as Debian does not (yet?) require
determinism under build path variation in its definition of
reproducibility. However, dblatex invokes pdflatex on generated input
within a randomly named temporary directory. That makes it hard for
packages using dblatex to build reproducibly, even when the main build
path is fixed, without resorting to per-package patches to remove the ID
field.
Earlier it was mentioned that the algorithm used by pdftex’s printID was
inspired by the section “File Identifiers” in the PDF Reference, which
suggests hashing the time, pathname, file size, and document information
dictionary. However, a note in an appendix makes it clear that the
particular algorithm is unimportant:
“Note that the calculation of the file identifier need not be
reproducible; all that matters is that the identifier is likely to be
unique. For example, two implementations of this algorithm might use
different formats for the current time, causing them to produce different
file identifiers for the same file created at the same time, but the
uniqueness of the identifier is not affected.”
(https://wwwimages.adobe.com/content/dam/Adobe/en/devnet/pdf/pdfs/pdf_reference_1-7.pdf,
Appendix H, implementation note 163)
With that in mind, could printID be changed to avoid depending on the
current directory name, either by default, or if the default won’t be
changed, then perhaps just when a reproducible build has been requested
via the presence of SOURCE_DATE_EPOCH?
Anders