972559">

Debian Bug report logs - #972559
perl: please make the build mostly reproducible

version graph

Package: src:perl; Maintainer for src:perl is Niko Tyni <ntyni@debian.org>;

Reported by: "Chris Lamb" <lamby@debian.org>

Date: Tue, 20 Oct 2020 09:57:02 UTC

Severity: wishlist

Tags: patch

Found in version perl/5.30.3-4

Fixed in version perl/5.32.0-6

Done: Niko Tyni <ntyni@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#972559; Package src:perl. (Tue, 20 Oct 2020 09:57:04 GMT) (full text, mbox, link).


Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Niko Tyni <ntyni@debian.org>. (Tue, 20 Oct 2020 09:57:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, wrote: > Source: perl > Version: 5.30.3-4 > Severity: wishlist > Tags: patch > User: reproducible-builds@lists.alioth.debian.org > Usertags: buildpath > X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org > > Hi, > > Whilst working on the Reproducible Builds effort [0] we noticed that > perl could not be built reproducibly. > > This is because it ships a number of build-related header files that > include the build path in various guises. Assuming these files are > actually useful in the binary package, a patch is attached that > sanitises these in debian/rules prior to the final creation of the .deb. > > To be clear, Perl is not entirely reproducible with this change — I > need to address the variations added between a /usr-merged system and > one that is not. That part should be incoming soon. > > [0] https://reproducible-builds.org/ > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` lamby@debian.org / chris-lamb.co.uk > `- &subject=Re: perl: please make the build mostly reproducible&In-Reply-To=<160318751732.185523.10015562985306285510@9f5ed2b2fa97>&References=<160318751732.185523.10015562985306285510@9f5ed2b2fa97>">reply):

From: "Chris Lamb" <lamby@debian.org>
To: submit@bugs.debian.org
Subject: perl: please make the build mostly reproducible
Date: Tue, 20 Oct 2020 10:55:23 +0100
[Message part 1 (text/plain, inline)]
Source: perl
Version: 5.30.3-4
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: buildpath
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Hi,
 
Whilst working on the Reproducible Builds effort [0] we noticed that
perl could not be built reproducibly.

This is because it ships a number of build-related header files that
include the build path in various guises. Assuming these files are
actually useful in the binary package, a patch is attached that
sanitises these in debian/rules prior to the final creation of the .deb.

To be clear, Perl is not entirely reproducible with this change — I
need to address the variations added between a /usr-merged system and
one that is not. That part should be incoming soon.

 [0] https://reproducible-builds.org/


Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-
[perl.diff.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#972559; Package src:perl. (Tue, 20 Oct 2020 13:27:02 GMT) (full text, mbox, link).


Acknowledgement sent to Niko Tyni <ntyni@debian.org>:
Extra info received and forwarded to list. (Tue, 20 Oct 2020 13:27:02 GMT) (full text, mbox, link).


Message #10 received at 972559@bugs.debian.org (full text, mbox, reply):

From: Niko Tyni <ntyni@debian.org>
To: Chris Lamb <lamby@debian.org>, 972559@bugs.debian.org
Subject: Re: Bug#972559: perl: please make the build mostly reproducible
Date: Tue, 20 Oct 2020 14:23:26 +0100
On Tue, Oct 20, 2020 at 10:55:23AM +0100, Chris Lamb wrote:
> Source: perl
> Version: 5.30.3-4
> Severity: wishlist
> Tags: patch
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: buildpath
> X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
> 
> Hi,
>  
> Whilst working on the Reproducible Builds effort [0] we noticed that
> perl could not be built reproducibly.
> 
> This is because it ships a number of build-related header files that
> include the build path in various guises. Assuming these files are
> actually useful in the binary package, a patch is attached that
> sanitises these in debian/rules prior to the final creation of the .deb.

Thanks! For some reason I thought this was a wider issue than
just those files.

The config.h and Config_heavy.pl files are definitely useful and
necessary. The config.sh.* files are part of our hacky cross build
support, and we seem to be stuck with them until somebody implements
cross build safe configure probes upstream. Mangling the build directory
in all of them should be fine, though I worry a bit about short build
paths potentially matching some other data in the files. But I guess
that's mostly theoretical.

I'm uneasy with using $(CURDIR) as a regexp in sed.  Similar usage in the
past led to #585678. Given '+' is not special in sed regexps, this is not
quite as bad, but still not ideal.  An option is to say
  $(PERL_TO_USE) -pi -e 's/\Q$(CURDIR)\E/.../'
like we do elsewhere in the rules already.

> To be clear, Perl is not entirely reproducible with this change — I
> need to address the variations added between a /usr-merged system and
> one that is not. That part should be incoming soon.

Cool, thanks again.

We're currently waiting for a transition slot for perl 5.32, so this
may have to wait until after that. Feel free to poke if nothing happens.
-- 
Niko



Information forwarded to debian-bugs-dist@lists.debian.org, Niko Tyni <ntyni@debian.org>:
Bug#972559; Package src:perl. (Wed, 21 Oct 2020 14:09:03 GMT) (full text, mbox, link).


Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Niko Tyni <ntyni@debian.org>. (Wed, 21 Oct 2020 14:09:03 GMT) (full text, mbox, link).


Message #15 received at 972559@bugs.debian.org (full text, mbox, wrote: > Hi Niko, > > > Thanks! For some reason I thought this was a wider issue than > > just those files. > > No problem. As far as I can tell, the build path issue is limited to > just these files, but as you later allude to, there are still the > usrmerge-related variations (#914128). > > > I'm uneasy with using $(CURDIR) as a regexp in sed. Similar usage in the > > past led to #585678. Given '+' is not special in sed regexps, this is not > > quite as bad, but still not ideal. > > An excellent point. A few moments on codesearch.debian.net suggests > that using sed with CURDIR (what is, after all, untrusted input to > some degree) is a fairly common occurrence. I had yet to see an > instance of it causing problems until I saw #585678, however. I have > filed a wishlist bug against Lintian (#972629) as most of these should > straightforward to detect. > > An option is to say > > $(PERL_TO_USE) -pi -e 's/\Q$(CURDIR)\E/.../' > > like we do elsewhere in the rules already. > > Good idea, and I've attached an updated patch for completeness. > > Looking forward to seeing this land in the archive. > > > Best wishes, > > -- > ,''`. > : :' : Chris Lamb > `. `'` lamby@debian.org 🍥 chris-lamb.co.uk > `-&References=<160318751732.185523.10015562985306285510@9f5ed2b2fa97> <20201020132326.GA30076@urchin.earth.li> <62765974-304f-455e-a736-4292d2522fe3@www.fastmail.com>&In-Reply-To=<62765974-304f-455e-a736-4292d2522fe3@www.fastmail.com>">reply):

From: "Chris Lamb" <lamby@debian.org>
To: "Niko Tyni" <ntyni@debian.org>, 972559@bugs.debian.org
Cc: reproducible-bugs@lists.alioth.debian.org
Subject: Re: Bug#972559: perl: please make the build mostly reproducible
Date: Wed, 21 Oct 2020 15:05:04 +0100
[Message part 1 (text/plain, inline)]
Hi Niko,

> Thanks! For some reason I thought this was a wider issue than
> just those files.

No problem. As far as I can tell, the build path issue is limited to
just these files, but as you later allude to, there are still the
usrmerge-related variations (#914128).

> I'm uneasy with using $(CURDIR) as a regexp in sed.  Similar usage in the
> past led to #585678. Given '+' is not special in sed regexps, this is not
> quite as bad, but still not ideal.

An excellent point. A few moments on codesearch.debian.net suggests
that using sed with CURDIR (what is, after all, untrusted input to
some degree) is a fairly common occurrence. I had yet to see an
instance of it causing problems until I saw #585678, however. I have
filed a wishlist bug against Lintian (#972629) as most of these should
straightforward to detect.

An option is to say
>   $(PERL_TO_USE) -pi -e 's/\Q$(CURDIR)\E/.../'
> like we do elsewhere in the rules already.

Good idea, and I've attached an updated patch for completeness.

Looking forward to seeing this land in the archive.


Best wishes,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-
[perl.diff.txt (text/plain, attachment)]

Reply sent to Niko Tyni <ntyni@debian.org>:
You have taken responsibility. (Mon, 14 Dec 2020 17:09:05 GMT) (full text, mbox, link).


Notification sent to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer. (Mon, 14 Dec 2020 17:09:05 GMT) (full text, mbox, link).


Message #20 received at 972559-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 972559-close@bugs.debian.org
Subject: Bug#972559: fixed in perl 5.32.0-6
Date: Mon, 14 Dec 2020 17:05:39 +0000
Source: perl
Source-Version: 5.32.0-6
Done: Niko Tyni <ntyni@debian.org>

We believe that the bug you reported is fixed in the latest version of
perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 972559@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niko Tyni <ntyni@debian.org> (supplier of updated perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 13 Dec 2020 20:58:36 +0200
Source: perl
Architecture: source
Version: 5.32.0-6
Distribution: unstable
Urgency: medium
Maintainer: Niko Tyni <ntyni@debian.org>
Changed-By: Niko Tyni <ntyni@debian.org>
Closes: 972559 976666
Changes:
 perl (5.32.0-6) unstable; urgency=medium
 .
   [ Dominic Hargreaves ]
   * Update lintian overrides with various severity info and pedantic
     tags
 .
   [ Niko Tyni ]
   * Add patch from Chris Lamb removing traces of the build directory from
     the binary packages. (Closes: #972559)
   * Refresh cross build support files.
   * Make perl Break the old perl-modules-5.24 package. (Closes: #976666)
   * Add a missing test dependency on dpkg-dev.
Checksums-Sha1:
 55eae0b1c0be850b21b9bd557eba5b45bd89a686 2997 perl_5.32.0-6.dsc
 b10aa13e5eb16d8aa83dc75e22bebbc6fae274a6 164248 perl_5.32.0-6.debian.tar.xz
Checksums-Sha256:
 462ccbf2488da171a1b53c6b00ef6c047466307a7ee1a14b19913d37714a5020 2997 perl_5.32.0-6.dsc
 8c282ed61faa72b5847f7e963b4d9c8078850f6462931da369dd8d36ea4ad7fb 164248 perl_5.32.0-6.debian.tar.xz
Files:
 be81d5988b44e469bcd7d23d6f9bb66e 2997 perl standard perl_5.32.0-6.dsc
 db086fd14795b3e887d2bc2141305654 164248 perl standard perl_5.32.0-6.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEdqKOQsmBHZHoj7peLsD/s7cwGx8FAl/XlwkRHG50eW5pQGRl
Ymlhbi5vcmcACgkQLsD/s7cwGx/8Uw//fa0qNYkW3zn2nLNqhkXgPxSBCWcVDool
0RCN7cT0tJOGYhcofDAc6DzYex0VqtsZTFsFT9/vXM0X1+UzyFYg19JfW0BbQnaK
SDHVowubkALLX3tVV3DZCDpvsvjEF5PHKE6d9JmDA+1hgz73kHDj3fCOXCnzsUFC
DNDRgvlar20D5T3xWvoU20w9Y8zimkTBv5RVe6Dv5v2DymKqZP7wpKZnP+K+mC4Q
hp93ICvyJlMoxK3qUGCHCbWljtp72URWDPPZqEoUMCwnnVrJ5oDE9SwemTUhhWN4
JlglCDksBcA7b59JXrBg3aYF20EJea8h+t8vpk2byf7mwozaoRtXJ15dgWwkEr4P
G2mcSQPt8r41iaVasvbBH0WgsAhbeWztDaDadQ9oHBsexLWzoF+IwU1Kxn4U8oRv
cxrgZ0EhWddW2KZYLNXlwpJiZabkmTPbsAVSYeix8ComrI6UousN11Em7EzQPweu
gVprJ9KwYgAzJHW3p/zlVwwq+tgGVx8u0Yt51UaEAXzesoJ/+ozOzAHk1T972cds
l8nAyIaslBEujW7gKhFHMFzQIBseFK0nob0NOwoMqs3btAeHHW8iUDqCYIjfVy5t
hxupfby9XPBOiowcdaydPpKNf5lhG7cnDfHAFOy0UgTFTZa0S+zOwqLFKIJyc2Q6
ZbpI241tQdc=
=shfu
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jan 2021 07:30:22 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Feb 3 06:20:12 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.