969320">

Debian Bug report logs - #969320
aflplusplus: please make the build reproducible

version graph

Package: src:aflplusplus; Maintainer for src:aflplusplus is Debian Security Tools <team+pkg-security@tracker.debian.org>;

Reported by: "Chris Lamb" <lamby@debian.org>

Date: Mon, 31 Aug 2020 10:51:01 UTC

Severity: wishlist

Tags: patch

Found in version aflplusplus/2.67c-1

Fixed in version aflplusplus/2.68c-1

Done: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <raphael@offensive-security.com>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian Security Tools <team+pkg-security@tracker.debian.org>:
Bug#969320; Package src:aflplusplus. (Mon, 31 Aug 2020 10:51:03 GMT) (full text, mbox, link).


Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian Security Tools <team+pkg-security@tracker.debian.org>. (Mon, 31 Aug 2020 10:51:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, wrote: > Source: aflplusplus > Version: 2.67c-1 > Severity: wishlist > Tags: patch > User: reproducible-builds@lists.alioth.debian.org > Usertags: shell > X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org > > Hi, > > Whilst working on the Reproducible Builds effort [0] we noticed that > aflplusplus could not be built reproducibly. > > Here is the variation in the manpage > > │ │ │ │ │ -.B afl-clang-fast \- /bin/sh: 1: ./afl-clang-fast: not found > │ │ │ │ │ +.B afl-clang-fast \- /bin/sh: ./afl-clang-fast: No such file or directory > > This is, I think, because we do not build or keep these variants on > non-x86 systems, so the call in the Makefile fails with the above > message. This then varies depending on the user's shell that /bin/sh > symlinks to (!), rendering the package reproducible. > > Untested patch attached that also removes these manpages from the > binary .deb along with the other deletions in debian/rules, but this may > not be the right approach for your package. > > cd debian/afl++/usr/bin/ && rm afl-gcc afl-g++ > cd debian/afl++/usr/lib/afl/ && rm as afl-as > cd debian/afl++-clang/usr/bin/ && rm afl-clang afl-clang++ > + cd debian/afl++-clang/usr/share/man/man8 && rm afl-clang-fast.8 afl-clang-fast++.8 > > There is also a variation in these manpages based on the build date: > > │ │ │ │ │ -.TH afl-clang-fast 8 2021-10-03 afl++ > │ │ │ │ │ +.TH afl-clang-fast 8 2020-08-31 afl++ > > ... but I can't quite see why as you do appear to be using the > SOURCE_DATE_EPOCH environment variable. It may not matter if we don't > even ship them, hence why I'm not immediately investigating this > angle. > > [0] https://reproducible-builds.org/ > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` lamby@debian.org / chris-lamb.co.uk > `-">reply):

From: "Chris Lamb" <lamby@debian.org>
To: submit@bugs.debian.org
Subject: aflplusplus: please make the build reproducible
Date: Mon, 31 Aug 2020 11:49:46 +0100
[Message part 1 (text/plain, inline)]
Source: aflplusplus
Version: 2.67c-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: shell
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Hi,

Whilst working on the Reproducible Builds effort [0] we noticed that
aflplusplus could not be built reproducibly.

Here is the variation in the manpage

│ │ │ │ │ -.B afl-clang-fast \- /bin/sh: 1: ./afl-clang-fast: not found
│ │ │ │ │ +.B afl-clang-fast \- /bin/sh: ./afl-clang-fast: No such file or directory

This is, I think, because we do not build or keep these variants on
non-x86 systems, so the call in the Makefile fails with the above
message. This then varies depending on the user's shell that /bin/sh
symlinks to (!), rendering the package reproducible.

Untested patch attached that also removes these manpages from the
binary .deb along with the other deletions in debian/rules, but this may
not be the right approach for your package.

 	cd debian/afl++/usr/bin/ && rm afl-gcc afl-g++
 	cd debian/afl++/usr/lib/afl/ && rm as afl-as
 	cd debian/afl++-clang/usr/bin/ && rm afl-clang afl-clang++
+	cd debian/afl++-clang/usr/share/man/man8 && rm afl-clang-fast.8 afl-clang-fast++.8

There is also a variation in these manpages based on the build date:

│ │ │ │ │ -.TH afl-clang-fast 8 2021-10-03 afl++
│ │ │ │ │ +.TH afl-clang-fast 8 2020-08-31 afl++

... but I can't quite see why as you do appear to be using the
SOURCE_DATE_EPOCH environment variable. It may not matter if we don't
even ship them, hence why I'm not immediately investigating this
angle.

  [0] https://reproducible-builds.org/


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-
[aflplusplus.diff.txt (text/plain, attachment)]

Message sent on to "Chris Lamb" <lamby@debian.org>:
Bug#969320. (Mon, 31 Aug 2020 13:03:04 GMT) (full text, mbox, link).


Message #8 received at 969320-submitter@bugs.debian.org (full text, mbox, reply):

From: Raphaël Hertzog <hertzog@debian.org>
To: 969320-submitter@bugs.debian.org
Subject: Bug#969320 marked as pending in aflplusplus
Date: Mon, 31 Aug 2020 13:00:23 +0000
Control: tag -1 pending

Hello,

Bug #969320 in aflplusplus reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/pkg-security-team/aflplusplus/-/commit/60853ffb43f0688200b61059b1b96aad90bb7c06

------------------------------------------------------------------------
Add a patch to improve reproducibility

Closes: #969320
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/969320



Added tag(s) pending. Request was from Raphaël Hertzog <hertzog@debian.org> to 969320-submitter@bugs.debian.org. (Mon, 31 Aug 2020 13:03:04 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Security Tools <team+pkg-security@tracker.debian.org>:
Bug#969320; Package src:aflplusplus. (Mon, 31 Aug 2020 13:24:08 GMT) (full text, mbox, link).


Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Security Tools <team+pkg-security@tracker.debian.org>. (Mon, 31 Aug 2020 13:24:08 GMT) (full text, mbox, link).


Message #15 received at 969320@bugs.debian.org (full text, mbox, > +BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d") > + > ifeq "$(shell uname)" "OpenBSD" > LLVM_CONFIG ?= $(BIN_PATH)/llvm-config > HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1) > @@ -440,10 +442,10 @@ install: all > > vpath % .. > %.8: % > - @echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ../$@ > + @echo .TH $* 8 $(BUILD_DATE) "afl++" > ../$@ &References=<159887065138.3227305.282144699214011139@tinycat.chris-lamb.co.uk> <20200831130527.GB710362@home.ouaza.com>&subject=Re: Bug#969320: aflplusplus: please make the build reproducible&In-Reply-To=<20200831130527.GB710362@home.ouaza.com>">reply):

From: Raphael Hertzog <hertzog@debian.org>
To: Chris Lamb <lamby@debian.org>, 969320@bugs.debian.org
Subject: Re: Bug#969320: aflplusplus: please make the build reproducible
Date: Mon, 31 Aug 2020 15:05:27 +0200
Hi,

On Mon, 31 Aug 2020, Chris Lamb wrote:
> Whilst working on the Reproducible Builds effort [0] we noticed that
> aflplusplus could not be built reproducibly.

The reprotest CI job fails too and seems to show other issues:
https://salsa.debian.org/pkg-security-team/aflplusplus/-/jobs/964936/raw

I couldn't easily figure out the reason...

> Here is the variation in the manpage
> 
> │ │ │ │ │ -.B afl-clang-fast \- /bin/sh: 1: ./afl-clang-fast: not found
> │ │ │ │ │ +.B afl-clang-fast \- /bin/sh: ./afl-clang-fast: No such file or directory
> 
> This is, I think, because we do not build or keep these variants on
> non-x86 systems, so the call in the Makefile fails with the above
> message. This then varies depending on the user's shell that /bin/sh
> symlinks to (!), rendering the package reproducible.

The issue is actually in llvm_mode/GNUMakefile. One one line we expect the
binary in the current directory but it's actually built in the parent
directory.

> There is also a variation in these manpages based on the build date:
> 
> │ │ │ │ │ -.TH afl-clang-fast 8 2021-10-03 afl++
> │ │ │ │ │ +.TH afl-clang-fast 8 2020-08-31 afl++
> 
> ... but I can't quite see why as you do appear to be using the
> SOURCE_DATE_EPOCH environment variable. It may not matter if we don't
> even ship them, hence why I'm not immediately investigating this
> angle.

It does matter as we ship them on i386/amd64!

The issue is that llvm_mode/GNUMakefile is not using SOURCE_DATE_EPOCH.

Here's the patch I'm adding to git and submitting to upstream:

diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile
index 1a8c9f43..380397f2 100644
--- a/llvm_mode/GNUmakefile
+++ b/llvm_mode/GNUmakefile
@@ -28,6 +28,8 @@ MAN_PATH    ?= $(PREFIX)/share/man/man8
 
 VERSION     = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2)
 
+BUILD_DATE  ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
+
 ifeq "$(shell uname)" "OpenBSD"
   LLVM_CONFIG ?= $(BIN_PATH)/llvm-config
   HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1)
@@ -440,10 +442,10 @@ install: all
 
 vpath  % ..
 %.8: %
-	@echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ../$@
+	@echo .TH $* 8 $(BUILD_DATE) "afl++" > ../$@
 	@echo .SH NAME >> ../$@
 	@echo -n ".B $* \- " >> ../$@
-	@./$* -h 2>&1 | head -n 1 | sed -e "s/$$(printf '\e')[^m]*m//g" >> ../$@
+	@../$* -h 2>&1 | head -n 1 | sed -e "s/$$(printf '\e')[^m]*m//g" >> ../$@
 	@echo >> ../$@
 	@echo .SH SYNOPSIS >> ../$@
 	@../$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ../$@

Filed here: https://github.com/AFLplusplus/AFLplusplus/pull/535

Cheers,
-- 
  ⢀⣴⠾⠻⢶⣦⠀   Raphaël Hertzog <hertzog@debian.org>
  ⣾⠁⢠⠒⠀⣿⡁
  ⢿⡄⠘⠷⠚⠋    The Debian Handbook: https://debian-handbook.info/get/
  ⠈⠳⣄⠀⠀⠀⠀   Debian Long Term Support: https://deb.li/LTS



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Security Tools <team+pkg-security@tracker.debian.org>:
Bug#969320; Package src:aflplusplus. (Mon, 31 Aug 2020 13:45:04 GMT) (full text, mbox, link).


Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Security Tools <team+pkg-security@tracker.debian.org>. (Mon, 31 Aug 2020 13:45:04 GMT) (full text, mbox, link).


Message #20 received at 969320@bugs.debian.org (full text, mbox, wrote: > Hi Raphael, > > > The issue is actually in llvm_mode/GNUMakefile. On one line we expect the > > binary in the current directory but it's actually built in the parent > > directory. > > Ahh, of course there would be *two* versions of the manpage generation > snippet in the same source package. > > Thanks for explaining (and fixing…) this. > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` lamby@debian.org 🍥 chris-lamb.co.uk > `- > > &subject=Re: Bug#969320: aflplusplus: please make the build reproducible&In-Reply-To=">reply):

From: "Chris Lamb" <lamby@debian.org>
To: "Raphael Hertzog" <hertzog@debian.org>, 969320@bugs.debian.org
Subject: Re: Bug#969320: aflplusplus: please make the build reproducible
Date: Mon, 31 Aug 2020 14:42:59 +0100
Hi Raphael,

> The issue is actually in llvm_mode/GNUMakefile. On one line we expect the
> binary in the current directory but it's actually built in the parent
> directory.

Ahh, of course there would be *two* versions of the manpage generation
snippet in the same source package.

Thanks for explaining (and fixing…) this.


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-



Reply sent to Raphaël Hertzog <raphael@offensive-security.com>:
You have taken responsibility. (Tue, 17 Nov 2020 11:36:03 GMT) (full text, mbox, link).


Notification sent to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer. (Tue, 17 Nov 2020 11:36:03 GMT) (full text, mbox, link).


Message #25 received at 969320-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 969320-close@bugs.debian.org
Subject: Bug#969320: fixed in aflplusplus 2.68c-1
Date: Tue, 17 Nov 2020 11:33:32 +0000
Source: aflplusplus
Source-Version: 2.68c-1
Done: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <raphael@offensive-security.com>

We believe that the bug you reported is fixed in the latest version of
aflplusplus, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 969320@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <raphael@offensive-security.com> (supplier of updated aflplusplus package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Nov 2020 12:06:15 +0100
Source: aflplusplus
Architecture: source
Version: 2.68c-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Changed-By: Raphaël Hertzog <raphael@offensive-security.com>
Closes: 969320 973557 974783
Changes:
 aflplusplus (2.68c-1) unstable; urgency=medium
 .
   * New upstream version 2.68c
   * Add a patch to improve reproducibility (Closes: #969320)
   * Improve long description to make it clear that afl is unmaintained
     (Closes: #973557)
   * Switch to clang/LLVM 11 (Closes: #974783)
   * Drop all patches, they have been merged upstream.
Checksums-Sha1:
 cd1a0c0c4363569948bdd643f494daa2750e3785 2067 aflplusplus_2.68c-1.dsc
 a4f60d10495d17591614aab99a4011d3ea99959c 1675912 aflplusplus_2.68c.orig.tar.gz
 4505362444b6aa24aa31a374089311106e36e319 5608 aflplusplus_2.68c-1.debian.tar.xz
 2a52ee3eddbb50c7afe076d4e5d7142757da08a8 6880 aflplusplus_2.68c-1_source.buildinfo
Checksums-Sha256:
 38a6c5ac7f8511d53da08fdba241fe506ccfd022cab88a3d6c1f147dccf1754e 2067 aflplusplus_2.68c-1.dsc
 862e155c97737770baa26ffedf324a7fa255b757c85b0c9a6f312264f2ca29c5 1675912 aflplusplus_2.68c.orig.tar.gz
 9f25f0b432632378b21e058c5349f2d2c21aa740a94d219f0e570118d6010595 5608 aflplusplus_2.68c-1.debian.tar.xz
 667eac12d2fe8a19dd863ac426f0b1b5d046e831e5b1075ead9797b8afa23915 6880 aflplusplus_2.68c-1_source.buildinfo
Files:
 c1486836f6fc351c75559dae17507926 2067 devel optional aflplusplus_2.68c-1.dsc
 d193b5f93e53d0acb749fcf01faf27f7 1675912 devel optional aflplusplus_2.68c.orig.tar.gz
 5b73e2174f7e14a36d00eba619e5cd17 5608 devel optional aflplusplus_2.68c-1.debian.tar.xz
 894849da6b0a04bc15aa1e94b648aaf1 6880 devel optional aflplusplus_2.68c-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Signed by Raphael Hertzog

iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAl+zsksACgkQA4gdq+vC
mrnPTgf/XAflHEk0DM/cBlgDGQYoz0QInWRrkx8E43R5Cx589czosZfYvdZ9xs0u
iwEYZo5Fz2q6tmbPbKzgPz4qdXlKFoO+KHK2Ne3aC9k7Xtxw3cSKNDAsbAeDE5l3
YqLPxhuivxbwPGwceoQ4mycYZeSChtPn4NvrPYw6zG8qKce3XFGPmmBN00QTol+3
9kXWvXfI1HXM7XuVzCUUXTeOvCExouEST1bpZd1I0LP/Ca/zfQv9XEpBcpADskOR
9WRw+hczjy2b68JZzePqOI11hT055I3pg+4kxfeDgmA3Q1AFHDLUSUJxWS4PMYtC
3VxPX/+AlxgzIXXkEd+MJtEksoxReg==
=JBim
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 17 Dec 2020 07:25:17 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jan 30 23:55:22 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.