Hi,
I’m using Nix and nixpkgs to build bootable images for Raspberry Pi containing the Linux kernel, an /init process along with a few supporting libraries (musl libc, libstdc++).
Now I’d like to make the images bit-for-bit reproducible. So far, I’ve had some luck with patchelf, overriding of packages, and careful invocation of archiving tools (mkfs.fat, mcopy etc.). Note that I can’t use pkgsStatic because it’s not supported by libcamera.
I got far enough to achieve bit-for-bit reproducible images across aarch64-darwin and aarch64-linux, primarily because I use the latter as a builder for the former. However, reproducibility breaks when building on GitHub’s CI, presumably because they’re x86_64-linux. The immediate problem is that even patchelf can’t help with ELF sections of different size. Here’s one such diff:
https://try.diffoscope.org/prtrurkgftaq.html
So also related issue patchelf --set-rpath adds external unresolved symbol XXX to binary · Issue #315 · NixOS/patchelf · GitHub.
Ideas are welcome, especially ones that solves this problem in a more principled way than hacking away at one indeterministic issue at a time. For example, would content-addressed derivations help?
Elias