Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian Security Tools <team+pkg-security@tracker.debian.org>.
(Mon, 31 Aug 2020 10:51:03 GMT) (full text, mbox, link).
Source: aflplusplus
Version: 2.67c-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: shell
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
Hi,
Whilst working on the Reproducible Builds effort [0] we noticed that
aflplusplus could not be built reproducibly.
Here is the variation in the manpage
│ │ │ │ │ -.B afl-clang-fast \- /bin/sh: 1: ./afl-clang-fast: not found
│ │ │ │ │ +.B afl-clang-fast \- /bin/sh: ./afl-clang-fast: No such file or directory
This is, I think, because we do not build or keep these variants on
non-x86 systems, so the call in the Makefile fails with the above
message. This then varies depending on the user's shell that /bin/sh
symlinks to (!), rendering the package reproducible.
Untested patch attached that also removes these manpages from the
binary .deb along with the other deletions in debian/rules, but this may
not be the right approach for your package.
cd debian/afl++/usr/bin/ && rm afl-gcc afl-g++
cd debian/afl++/usr/lib/afl/ && rm as afl-as
cd debian/afl++-clang/usr/bin/ && rm afl-clang afl-clang++
+ cd debian/afl++-clang/usr/share/man/man8 && rm afl-clang-fast.8 afl-clang-fast++.8
There is also a variation in these manpages based on the build date:
│ │ │ │ │ -.TH afl-clang-fast 8 2021-10-03 afl++
│ │ │ │ │ +.TH afl-clang-fast 8 2020-08-31 afl++
... but I can't quite see why as you do appear to be using the
SOURCE_DATE_EPOCH environment variable. It may not matter if we don't
even ship them, hence why I'm not immediately investigating this
angle.
[0] https://reproducible-builds.org/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
Subject: Bug#969320 marked as pending in aflplusplus
Date: Mon, 31 Aug 2020 13:00:23 +0000
Control: tag -1 pending
Hello,
Bug #969320 in aflplusplus reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/pkg-security-team/aflplusplus/-/commit/60853ffb43f0688200b61059b1b96aad90bb7c06
------------------------------------------------------------------------
Add a patch to improve reproducibility
Closes: #969320
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/969320
Added tag(s) pending.
Request was from Raphaël Hertzog <hertzog@debian.org>
to 969320-submitter@bugs.debian.org.
(Mon, 31 Aug 2020 13:03:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Tools <team+pkg-security@tracker.debian.org>: Bug#969320; Package src:aflplusplus.
(Mon, 31 Aug 2020 13:24:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Security Tools <team+pkg-security@tracker.debian.org>.
(Mon, 31 Aug 2020 13:24:08 GMT) (full text, mbox, link).
To: Chris Lamb <lamby@debian.org>, 969320@bugs.debian.org
Subject: Re: Bug#969320: aflplusplus: please make the build reproducible
Date: Mon, 31 Aug 2020 15:05:27 +0200
Hi,
On Mon, 31 Aug 2020, Chris Lamb wrote:
> Whilst working on the Reproducible Builds effort [0] we noticed that
> aflplusplus could not be built reproducibly.
The reprotest CI job fails too and seems to show other issues:
https://salsa.debian.org/pkg-security-team/aflplusplus/-/jobs/964936/raw
I couldn't easily figure out the reason...
> Here is the variation in the manpage
>
> │ │ │ │ │ -.B afl-clang-fast \- /bin/sh: 1: ./afl-clang-fast: not found
> │ │ │ │ │ +.B afl-clang-fast \- /bin/sh: ./afl-clang-fast: No such file or directory
>
> This is, I think, because we do not build or keep these variants on
> non-x86 systems, so the call in the Makefile fails with the above
> message. This then varies depending on the user's shell that /bin/sh
> symlinks to (!), rendering the package reproducible.
The issue is actually in llvm_mode/GNUMakefile. One one line we expect the
binary in the current directory but it's actually built in the parent
directory.
> There is also a variation in these manpages based on the build date:
>
> │ │ │ │ │ -.TH afl-clang-fast 8 2021-10-03 afl++
> │ │ │ │ │ +.TH afl-clang-fast 8 2020-08-31 afl++
>
> ... but I can't quite see why as you do appear to be using the
> SOURCE_DATE_EPOCH environment variable. It may not matter if we don't
> even ship them, hence why I'm not immediately investigating this
> angle.
It does matter as we ship them on i386/amd64!
The issue is that llvm_mode/GNUMakefile is not using SOURCE_DATE_EPOCH.
Here's the patch I'm adding to git and submitting to upstream:
diff --git a/llvm_mode/GNUmakefile b/llvm_mode/GNUmakefile
index 1a8c9f43..380397f2 100644
--- a/llvm_mode/GNUmakefile
+++ b/llvm_mode/GNUmakefile
@@ -28,6 +28,8 @@ MAN_PATH ?= $(PREFIX)/share/man/man8
VERSION = $(shell grep '^$(HASH)define VERSION ' ../config.h | cut -d '"' -f2)
+BUILD_DATE ?= $(shell date -u -d "@$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u -r "$(SOURCE_DATE_EPOCH)" "+%Y-%m-%d" 2>/dev/null || date -u "+%Y-%m-%d")
+
ifeq "$(shell uname)" "OpenBSD"
LLVM_CONFIG ?= $(BIN_PATH)/llvm-config
HAS_OPT = $(shell test -x $(BIN_PATH)/opt && echo 0 || echo 1)
@@ -440,10 +442,10 @@ install: all
vpath % ..
%.8: %
- @echo .TH $* 8 `date "+%Y-%m-%d"` "afl++" > ../$@
+ @echo .TH $* 8 $(BUILD_DATE) "afl++" > ../$@
@echo .SH NAME >> ../$@
@echo -n ".B $* \- " >> ../$@
- @./$* -h 2>&1 | head -n 1 | sed -e "s/$$(printf '\e')[^m]*m//g" >> ../$@
+ @../$* -h 2>&1 | head -n 1 | sed -e "s/$$(printf '\e')[^m]*m//g" >> ../$@
@echo >> ../$@
@echo .SH SYNOPSIS >> ../$@
@../$* -h 2>&1 | head -n 3 | tail -n 1 | sed 's/^\.\///' >> ../$@
Filed here: https://github.com/AFLplusplus/AFLplusplus/pull/535
Cheers,
--
⢀⣴⠾⠻⢶⣦⠀ Raphaël Hertzog <hertzog@debian.org>
⣾⠁⢠⠒⠀⣿⡁
⢿⡄⠘⠷⠚⠋ The Debian Handbook: https://debian-handbook.info/get/
⠈⠳⣄⠀⠀⠀⠀ Debian Long Term Support: https://deb.li/LTS
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Security Tools <team+pkg-security@tracker.debian.org>: Bug#969320; Package src:aflplusplus.
(Mon, 31 Aug 2020 13:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Security Tools <team+pkg-security@tracker.debian.org>.
(Mon, 31 Aug 2020 13:45:04 GMT) (full text, mbox, link).
To: "Raphael Hertzog" <hertzog@debian.org>, 969320@bugs.debian.org
Subject: Re: Bug#969320: aflplusplus: please make the build reproducible
Date: Mon, 31 Aug 2020 14:42:59 +0100
Hi Raphael,
> The issue is actually in llvm_mode/GNUMakefile. On one line we expect the
> binary in the current directory but it's actually built in the parent
> directory.
Ahh, of course there would be *two* versions of the manpage generation
snippet in the same source package.
Thanks for explaining (and fixing…) this.
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org 🍥 chris-lamb.co.uk
`-
Reply sent
to Raphaël Hertzog <raphael@offensive-security.com>:
You have taken responsibility.
(Tue, 17 Nov 2020 11:36:03 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 17 Nov 2020 11:36:03 GMT) (full text, mbox, link).
Source: aflplusplus
Source-Version: 2.68c-1
Done: =?utf-8?q?Rapha=C3=ABl_Hertzog?= <raphael@offensive-security.com>
We believe that the bug you reported is fixed in the latest version of
aflplusplus, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 969320@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Raphaël Hertzog <raphael@offensive-security.com> (supplier of updated aflplusplus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 17 Nov 2020 12:06:15 +0100
Source: aflplusplus
Architecture: source
Version: 2.68c-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Changed-By: Raphaël Hertzog <raphael@offensive-security.com>
Closes: 969320973557974783
Changes:
aflplusplus (2.68c-1) unstable; urgency=medium
.
* New upstream version 2.68c
* Add a patch to improve reproducibility (Closes: #969320)
* Improve long description to make it clear that afl is unmaintained
(Closes: #973557)
* Switch to clang/LLVM 11 (Closes: #974783)
* Drop all patches, they have been merged upstream.
Checksums-Sha1:
cd1a0c0c4363569948bdd643f494daa2750e3785 2067 aflplusplus_2.68c-1.dsc
a4f60d10495d17591614aab99a4011d3ea99959c 1675912 aflplusplus_2.68c.orig.tar.gz
4505362444b6aa24aa31a374089311106e36e319 5608 aflplusplus_2.68c-1.debian.tar.xz
2a52ee3eddbb50c7afe076d4e5d7142757da08a8 6880 aflplusplus_2.68c-1_source.buildinfo
Checksums-Sha256:
38a6c5ac7f8511d53da08fdba241fe506ccfd022cab88a3d6c1f147dccf1754e 2067 aflplusplus_2.68c-1.dsc
862e155c97737770baa26ffedf324a7fa255b757c85b0c9a6f312264f2ca29c5 1675912 aflplusplus_2.68c.orig.tar.gz
9f25f0b432632378b21e058c5349f2d2c21aa740a94d219f0e570118d6010595 5608 aflplusplus_2.68c-1.debian.tar.xz
667eac12d2fe8a19dd863ac426f0b1b5d046e831e5b1075ead9797b8afa23915 6880 aflplusplus_2.68c-1_source.buildinfo
Files:
c1486836f6fc351c75559dae17507926 2067 devel optional aflplusplus_2.68c-1.dsc
d193b5f93e53d0acb749fcf01faf27f7 1675912 devel optional aflplusplus_2.68c.orig.tar.gz
5b73e2174f7e14a36d00eba619e5cd17 5608 devel optional aflplusplus_2.68c-1.debian.tar.xz
894849da6b0a04bc15aa1e94b648aaf1 6880 devel optional aflplusplus_2.68c-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
Comment: Signed by Raphael Hertzog
iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAl+zsksACgkQA4gdq+vC
mrnPTgf/XAflHEk0DM/cBlgDGQYoz0QInWRrkx8E43R5Cx589czosZfYvdZ9xs0u
iwEYZo5Fz2q6tmbPbKzgPz4qdXlKFoO+KHK2Ne3aC9k7Xtxw3cSKNDAsbAeDE5l3
YqLPxhuivxbwPGwceoQ4mycYZeSChtPn4NvrPYw6zG8qKce3XFGPmmBN00QTol+3
9kXWvXfI1HXM7XuVzCUUXTeOvCExouEST1bpZd1I0LP/Ca/zfQv9XEpBcpADskOR
9WRw+hczjy2b68JZzePqOI11hT055I3pg+4kxfeDgmA3Q1AFHDLUSUJxWS4PMYtC
3VxPX/+AlxgzIXXkEd+MJtEksoxReg==
=JBim
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 17 Dec 2020 07:25:17 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.