transaction: sort packages when SOURCE_DATE_EPOCH set

For reproducible builds that involve RPMs, the exact order in which
packages are installed matters. This affects some files that are easy to
normalize in postprocessing (e.g. `/etc/passwd` line order), but it also
affects the rpmdb, where e.g. row order may change. See this comment
and following:

rpm-software-management/rpm#2219 (comment)

This was fixed for the rpm-ostree use case by sorting the packages
before adding them to the transaction and calling rpmtsOrder():

coreos/rpm-ostree#5469

This is the dnf equivalent.

We only do this if SOURCE_DATE_EPOCH is defined for two reasons:
1. It reduces risk by limiting it to the group of people who actually
   care about these details. (Though ironically, this change itself will
   cause a rebuild of reproducible artifacts.)
2. It mitigates the concern raised in the linked discussions regarding
   well-defined reordering possibly masking bugs in RPMs that
   unknowingly rely on a specific order.

Ideally, this functionality would live on the rpm side instead. For the
same reasons as above, this would also likely have to be an opt-in flag.
Once we have that though, the logic here could be simplified.

Assisted-by: Claude Code / Sonnet 4.5

Author: jlebon

libdnf5/rpm/transaction.cpp

@@ -39,6 +39,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
+#include <algorithm>
 #include <map>
 
 
@@ -140,6 +141,15 @@ std::string Transaction::get_db_cookie() const {
 void Transaction::fill(const base::Transaction & transaction) {
     transaction_items = transaction.get_transaction_packages();
 
+    // If SOURCE_DATE_EPOCH is set, sort the package list for reproducibility
+    if (std::getenv("SOURCE_DATE_EPOCH") != nullptr) {
+        auto & logger = *base->get_logger();
+        logger.debug("SOURCE_DATE_EPOCH detected; sorting {} packages for reproducibility", transaction_items.size());
+        std::sort(transaction_items.begin(), transaction_items.end(), [](const auto & a, const auto & b) {
+            return a.get_package().get_nevra() < b.get_package().get_nevra();
+        });
+    }
+
     // Auxiliary map name->package with the latest versions of currently
     // installed installonly packages.
     // Used to detect installation of a installonly package with lower version

test/data/repos-rpm/rpm-repo3/three-1-1.spec

@@ -0,0 +1,18 @@
+Name:           three
+Epoch:          0
+Version:        1
+Release:        1
+Vendor:         dnf5-test
+
+License:        Public Domain
+URL:            http://example.com/
+
+Summary:        A dummy package
+BuildArch:      noarch
+
+%description
+A dummy package.
+
+%files
+
+%changelog

test/libdnf5/rpm/test_transaction.cpp

@@ -78,6 +78,23 @@ class PackageDownloadCallbacks : public libdnf5::repo::DownloadCallbacks {
     int mirror_failure_cnt{0};
 };
 
+class OrderCapturingCallbacks : public libdnf5::rpm::TransactionCallbacks {
+public:
+    explicit OrderCapturingCallbacks(std::vector<std::string> expected) : expected_order(std::move(expected)) {}
+
+    void install_start(const libdnf5::base::TransactionPackage & item, [[maybe_unused]] uint64_t total) override {
+        auto nevra = item.get_package().get_nevra();
+        if (current_index >= expected_order.size() || nevra != expected_order[current_index]) {
+            order_correct = false;
+        }
+        current_index++;
+    }
+
+    std::vector<std::string> expected_order;
+    size_t current_index = 0;
+    bool order_correct = true;
+};
+
 }  // namespace
 
 
@@ -161,3 +178,55 @@ void RpmTransactionTest::test_transaction_temp_files_cleanup() {
         CPPUNIT_ASSERT(!std::filesystem::exists(package_path));
     }
 }
+
+void RpmTransactionTest::test_source_date_epoch_sorting() {
+    add_repo_rpm("rpm-repo1", /* load */ false);
+    add_repo_rpm("rpm-repo2", /* load */ false);
+    add_repo_rpm("rpm-repo3", /* load */ true);
+
+    // setting a global var in a test is not great... no other tests right now
+    // relate to SOURCE_DATE_EPOCH at least
+    setenv("SOURCE_DATE_EPOCH", "1234567890", 1);
+
+    std::vector<std::string> packages = {"one", "two", "three"};
+    // The exact final install order chosen by librpm doesn't matter. What
+    // matters is that it's consistent across all permutations. An alternative
+    // approach resilient to potential librpm changes is to capture the order on
+    // the first iteration and then compare future iterations against that.
+    std::vector<std::string> expected_order = {"two-2-2.noarch", "three-1-1.noarch", "one-2-1.noarch"};
+    auto installroot = base.get_config().get_installroot_option().get_value();
+
+    std::sort(packages.begin(), packages.end());
+    do {
+        // recreate the installroot each time so we start from scratch
+        std::filesystem::remove_all(installroot);
+        std::filesystem::create_directory(installroot);
+
+        libdnf5::Goal goal(base);
+        for (const auto & pkg : packages) {
+            goal.add_rpm_install(pkg);
+        }
+
+        auto transaction = goal.resolve();
+        transaction.download();
+
+        auto callbacks = std::make_unique<OrderCapturingCallbacks>(expected_order);
+        auto callbacks_ptr = callbacks.get();
+        transaction.set_callbacks(std::move(callbacks));
+
+        // TODO(jkolarik): Temporarily disable the test to allow further investigation of issues on the RISC-V arch
+        //                 See https://github.com/rpm-software-management/dnf5/issues/503
+        auto res = transaction.run();
+        if (res != libdnf5::base::Transaction::TransactionRunResult::SUCCESS) {
+            std::cout << std::endl << "WARNING: Transaction was not successful" << std::endl;
+            std::cout << libdnf5::utils::string::join(transaction.get_transaction_problems(), ", ") << std::endl;
+            break;  // no point in trying more permutations if arch is broken
+        }
+
+        CPPUNIT_ASSERT(callbacks_ptr->order_correct);
+        CPPUNIT_ASSERT_EQUAL(expected_order.size(), callbacks_ptr->current_index);
+
+    } while (std::next_permutation(packages.begin(), packages.end()));
+
+    unsetenv("SOURCE_DATE_EPOCH");
+}

test/libdnf5/rpm/test_transaction.hpp

@@ -31,11 +31,13 @@ class RpmTransactionTest : public BaseTestCase {
     CPPUNIT_TEST_SUITE(RpmTransactionTest);
     CPPUNIT_TEST(test_transaction);
     CPPUNIT_TEST(test_transaction_temp_files_cleanup);
+    CPPUNIT_TEST(test_source_date_epoch_sorting);
     CPPUNIT_TEST_SUITE_END();
 
 public:
     void test_transaction();
     void test_transaction_temp_files_cleanup();
+    void test_source_date_epoch_sorting();
 };
 
 #endif