990246">

Debian Bug report logs - #990246
vlc: reproducible builds: Embeds build username and hostname in binaries

version graph

Package: src:vlc; Maintainer for src:vlc is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>;

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Wed, 23 Jun 2021 20:21:01 UTC

Severity: normal

Tags: patch

Fixed in version vlc/3.0.17-1

Done: Sebastian Ramacher <sramacher@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://code.videolan.org/videolan/vlc/-/issues/26035

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Wed, 23 Jun 2021 20:21:03 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Wed, 23 Jun 2021 20:21:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: submit@bugs.debian.org
Subject: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Wed, 23 Jun 2021 13:16:47 -0700
[Message part 1 (text/plain, inline)]
Source: vlc
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: username hostname
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The build username and build system hostname are embedded in binaries
shipped in vlc:

  https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html

  ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 

  pbuilder1
  vs.
  pbuilder2

  ionos11-amd64
  vs.
  i-capture-the-hostname

The attached patch fixes this by setting VLC_COMPILE_BY and
VLC_COMPILE_HOST to empty values in configure.ac.


This patch does not address all reproducibility issues in vlc
(e.g. build paths), though applying it reduces the diff for the
remaining issues.


Thanks for maintaining vlc!


live well,
  vagrant
[0001-Disable-embedding-the-build-hostname-and-username-in.patch (text/x-diff, inline)]
From 01e2dcc51b31f1a06bcd07faa0ae3fbd0ddbe9c6 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Wed, 23 Jun 2021 19:33:47 +0000
Subject: [PATCH 1/3] Disable embedding the build hostname and username in the
 binaries.

https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html
---
 configure.ac | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/configure.ac b/configure.ac
index 7db5256a8..5d6324cf9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -4324,8 +4324,8 @@ AC_SUBST(VERSION_MINOR)
 AC_SUBST(VERSION_REVISION)
 AC_SUBST(VERSION_EXTRA)
 AC_SUBST(COPYRIGHT_YEARS)
-AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\\\\\/g'`", [user who ran configure])
-AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || hostname`", [host which ran configure])
+AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "", [user who ran configure])
+AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "", [host which ran configure])
 AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ *$//'`", [compiler])
 dnl
 dnl  Handle substvars that use $(top_srcdir)
-- 
2.32.0

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Wed, 25 Aug 2021 11:39:07 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Ramacher <sramacher@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Wed, 25 Aug 2021 11:39:07 GMT) (full text, mbox, link).


Message #10 received at 990246@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>
To: Vagrant Cascadian <vagrant@reproducible-builds.org>, 990246@bugs.debian.org
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Wed, 25 Aug 2021 13:36:43 +0200
Control: tags -1 - patch

On 2021-06-23 13:16:47, Vagrant Cascadian wrote:
> Source: vlc
> Severity: normal
> Tags: patch
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: username hostname
> X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
> 
> The build username and build system hostname are embedded in binaries
> shipped in vlc:
> 
>   https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html
> 
>   ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 
> 
>   pbuilder1
>   vs.
>   pbuilder2
> 
>   ionos11-amd64
>   vs.
>   i-capture-the-hostname
> 
> The attached patch fixes this by setting VLC_COMPILE_BY and
> VLC_COMPILE_HOST to empty values in configure.ac.

NACK. This information is part of the logs that are usually requested
from users by upstream. We want to have this information included in the
log so that upstream can easily identify where the logs are coming from
and what they are using. And for that purpose, a self-built deb or one
from a downstream distribution is different from the Debian one.

Cheers

> 
> 
> This patch does not address all reproducibility issues in vlc
> (e.g. build paths), though applying it reduces the diff for the
> remaining issues.
> 
> 
> Thanks for maintaining vlc!
> 
> 
> live well,
>   vagrant

> From 01e2dcc51b31f1a06bcd07faa0ae3fbd0ddbe9c6 Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
> Date: Wed, 23 Jun 2021 19:33:47 +0000
> Subject: [PATCH 1/3] Disable embedding the build hostname and username in the
>  binaries.
> 
> https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html
> ---
>  configure.ac | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index 7db5256a8..5d6324cf9 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -4324,8 +4324,8 @@ AC_SUBST(VERSION_MINOR)
>  AC_SUBST(VERSION_REVISION)
>  AC_SUBST(VERSION_EXTRA)
>  AC_SUBST(COPYRIGHT_YEARS)
> -AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\\\\\/g'`", [user who ran configure])
> -AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || hostname`", [host which ran configure])
> +AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "", [user who ran configure])
> +AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "", [host which ran configure])
>  AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ *$//'`", [compiler])
>  dnl
>  dnl  Handle substvars that use $(top_srcdir)
> -- 
> 2.32.0
> 




-- 
Sebastian Ramacher



Removed tag(s) patch. Request was from Sebastian Ramacher <sramacher@debian.org> to 990246-submit@bugs.debian.org. (Wed, 25 Aug 2021 11:39:07 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Wed, 25 Aug 2021 17:12:02 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Wed, 25 Aug 2021 17:12:03 GMT) (full text, mbox, link).


Message #17 received at 990246@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: Sebastian Ramacher <sramacher@debian.org>, 990246@bugs.debian.org
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Wed, 25 Aug 2021 10:08:07 -0700
[Message part 1 (text/plain, inline)]
On 2021-08-25, Sebastian Ramacher wrote:
> On 2021-06-23 13:16:47, Vagrant Cascadian wrote:
>> The build username and build system hostname are embedded in binaries
>> shipped in vlc:
>> 
>>   https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html
>> 
>>   ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 
>> 
>>   pbuilder1
>>   vs.
>>   pbuilder2
>> 
>>   ionos11-amd64
>>   vs.
>>   i-capture-the-hostname
>> 
>> The attached patch fixes this by setting VLC_COMPILE_BY and
>> VLC_COMPILE_HOST to empty values in configure.ac.
>
> NACK. This information is part of the logs that are usually requested
> from users by upstream. We want to have this information included in the
> log so that upstream can easily identify where the logs are coming from
> and what they are using. And for that purpose, a self-built deb or one
> from a downstream distribution is different from the Debian one.

The username and hostname of the build seems a rather imprecise way to
find out information about the origin of the build...

In the context of Debian, a given package+version has specific build
logs associated with it findable at https://buildd.debian.org/PACKAGE

I would expect downstream projects to have something similar
(e.g. ubuntu).

Obviously that wouldn't help for a self-built deb, but I would think the
person who built the deb would already have that information (and
ideally share that information with upstream)...

Thanks for considering. Perhaps it will be best to take this upstream at
this point, anyways...


live well,
  vagrant


>> This patch does not address all reproducibility issues in vlc
>> (e.g. build paths), though applying it reduces the diff for the
>> remaining issues.
>> 
>> 
>> Thanks for maintaining vlc!
>> 
>> 
>> live well,
>>   vagrant
>
>> From 01e2dcc51b31f1a06bcd07faa0ae3fbd0ddbe9c6 Mon Sep 17 00:00:00 2001
>> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
>> Date: Wed, 23 Jun 2021 19:33:47 +0000
>> Subject: [PATCH 1/3] Disable embedding the build hostname and username in the
>>  binaries.
>> 
>> https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html
>> ---
>>  configure.ac | 4 ++--
>>  1 file changed, 2 insertions(+), 2 deletions(-)
>> 
>> diff --git a/configure.ac b/configure.ac
>> index 7db5256a8..5d6324cf9 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -4324,8 +4324,8 @@ AC_SUBST(VERSION_MINOR)
>>  AC_SUBST(VERSION_REVISION)
>>  AC_SUBST(VERSION_EXTRA)
>>  AC_SUBST(COPYRIGHT_YEARS)
>> -AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\\\\\/g'`", [user who ran configure])
>> -AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || hostname`", [host which ran configure])
>> +AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "", [user who ran configure])
>> +AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "", [host which ran configure])
>>  AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ *$//'`", [compiler])
>>  dnl
>>  dnl  Handle substvars that use $(top_srcdir)
>> -- 
>> 2.32.0
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Thu, 26 Aug 2021 03:03:02 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Thu, 26 Aug 2021 03:03:02 GMT) (full text, mbox, link).


Message #22 received at 990246@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: Sebastian Ramacher <sramacher@debian.org>, 990246@bugs.debian.org
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Wed, 25 Aug 2021 19:59:56 -0700
[Message part 1 (text/plain, inline)]
Control: forwarded 990246 https://savannah.gnu.org/support/index.php?110532

On 2021-08-25, Vagrant Cascadian wrote:
> On 2021-08-25, Sebastian Ramacher wrote:
>> On 2021-06-23 13:16:47, Vagrant Cascadian wrote:
>>> The build username and build system hostname are embedded in binaries
>>> shipped in vlc:
>>> 
>>>   https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html
...
> Thanks for considering. Perhaps it will be best to take this upstream at
> this point, anyways...

https://savannah.gnu.org/support/index.php?110532

Will see what upstream has to say...

live well,
  vagrant
[signature.asc (application/pgp-signature, inline)]

Set Bug forwarded-to-address to 'https://savannah.gnu.org/support/index.php?110532'. Request was from Vagrant Cascadian <vagrant@reproducible-builds.org> to 990246-submit@bugs.debian.org. (Thu, 26 Aug 2021 03:03:02 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Thu, 26 Aug 2021 08:54:03 GMT) (full text, mbox, link).


Acknowledgement sent to Sebastian Ramacher <sramacher@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Thu, 26 Aug 2021 08:54:03 GMT) (full text, mbox, link).


Message #29 received at 990246@bugs.debian.org (full text, mbox, reply):

From: Sebastian Ramacher <sramacher@debian.org>
To: Vagrant Cascadian <vagrant@reproducible-builds.org>
Cc: 990246@bugs.debian.org
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Thu, 26 Aug 2021 10:50:49 +0200
[Message part 1 (text/plain, inline)]
On 2021-08-25 10:08:07 -0700, Vagrant Cascadian wrote:
> On 2021-08-25, Sebastian Ramacher wrote:
> > On 2021-06-23 13:16:47, Vagrant Cascadian wrote:
> >> The build username and build system hostname are embedded in binaries
> >> shipped in vlc:
> >> 
> >>   https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html
> >> 
> >>   ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 
> >> 
> >>   pbuilder1
> >>   vs.
> >>   pbuilder2
> >> 
> >>   ionos11-amd64
> >>   vs.
> >>   i-capture-the-hostname
> >> 
> >> The attached patch fixes this by setting VLC_COMPILE_BY and
> >> VLC_COMPILE_HOST to empty values in configure.ac.
> >
> > NACK. This information is part of the logs that are usually requested
> > from users by upstream. We want to have this information included in the
> > log so that upstream can easily identify where the logs are coming from
> > and what they are using. And for that purpose, a self-built deb or one
> > from a downstream distribution is different from the Debian one.
> 
> The username and hostname of the build seems a rather imprecise way to
> find out information about the origin of the build...
> 
> In the context of Debian, a given package+version has specific build
> logs associated with it findable at https://buildd.debian.org/PACKAGE

A package version doesn't tell me if it's the same version but built by
Debian, built by Ubuntu, built by Devuan, etc. And given that we receive
bug reports from downstream distributions also in the Debian BTS, that's
something I want to know when triaging those reports.

I'd be fine if that says for example, $DIST $ARCH buildd. That would
only leave custom built debs.

Cheers

> 
> I would expect downstream projects to have something similar
> (e.g. ubuntu).
> 
> Obviously that wouldn't help for a self-built deb, but I would think the
> person who built the deb would already have that information (and
> ideally share that information with upstream)...
> 
> Thanks for considering. Perhaps it will be best to take this upstream at
> this point, anyways...
> 
> 
> live well,
>   vagrant
> 
> 
> >> This patch does not address all reproducibility issues in vlc
> >> (e.g. build paths), though applying it reduces the diff for the
> >> remaining issues.
> >> 
> >> 
> >> Thanks for maintaining vlc!
> >> 
> >> 
> >> live well,
> >>   vagrant
> >
> >> From 01e2dcc51b31f1a06bcd07faa0ae3fbd0ddbe9c6 Mon Sep 17 00:00:00 2001
> >> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
> >> Date: Wed, 23 Jun 2021 19:33:47 +0000
> >> Subject: [PATCH 1/3] Disable embedding the build hostname and username in the
> >>  binaries.
> >> 
> >> https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html
> >> ---
> >>  configure.ac | 4 ++--
> >>  1 file changed, 2 insertions(+), 2 deletions(-)
> >> 
> >> diff --git a/configure.ac b/configure.ac
> >> index 7db5256a8..5d6324cf9 100644
> >> --- a/configure.ac
> >> +++ b/configure.ac
> >> @@ -4324,8 +4324,8 @@ AC_SUBST(VERSION_MINOR)
> >>  AC_SUBST(VERSION_REVISION)
> >>  AC_SUBST(VERSION_EXTRA)
> >>  AC_SUBST(COPYRIGHT_YEARS)
> >> -AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\\\\\/g'`", [user who ran configure])
> >> -AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || hostname`", [host which ran configure])
> >> +AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "", [user who ran configure])
> >> +AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "", [host which ran configure])
> >>  AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ *$//'`", [compiler])
> >>  dnl
> >>  dnl  Handle substvars that use $(top_srcdir)
> >> -- 
> >> 2.32.0



-- 
Sebastian Ramacher
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Thu, 26 Aug 2021 09:12:03 GMT) (full text, mbox, link).


Acknowledgement sent to Fabian Greffrath <fabian@greffrath.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Thu, 26 Aug 2021 09:12:03 GMT) (full text, mbox, link).


Message #34 received at 990246@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@greffrath.com>
To: Vagrant Cascadian <vagrant@reproducible-builds.org>, 990246@bugs.debian.org
Cc: Sebastian Ramacher <sramacher@debian.org>
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Thu, 26 Aug 2021 11:03:08 +0200
Control: forwarded -1 
https://code.videolan.org/videolan/vlc/-/issues/26035

Am 26.08.2021 04:59, schrieb Vagrant Cascadian:
> Control: forwarded 990246 
> https://savannah.gnu.org/support/index.php?110532



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Thu, 26 Aug 2021 09:15:02 GMT) (full text, mbox, link).


Acknowledgement sent to Fabian Greffrath <fabian@greffrath.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Thu, 26 Aug 2021 09:15:03 GMT) (full text, mbox, link).


Message #39 received at 990246@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@greffrath.com>
To: 990246@bugs.debian.org
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Thu, 26 Aug 2021 11:13:39 +0200
Control: forwarded 990246 
https://code.videolan.org/videolan/vlc/-/issues/26035

Am 26.08.2021 04:59, schrieb Vagrant Cascadian:
> Control: forwarded 990246 
> https://savannah.gnu.org/support/index.php?110532



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Thu, 26 Aug 2021 09:54:02 GMT) (full text, mbox, link).


Acknowledgement sent to Fabian Greffrath <fabian@greffrath.com>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Thu, 26 Aug 2021 09:54:03 GMT) (full text, mbox, link).


Message #44 received at 990246@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@greffrath.com>
To: 990246@bugs.debian.org
Cc: Vagrant Cascadian <vagrant@reproducible-builds.org>, Sebastian Ramacher <sramacher@debian.org>
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Thu, 26 Aug 2021 11:50:58 +0200
Sorry for my super-clever MUA adding line breaks on its own.



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Mon, 04 Oct 2021 06:51:02 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Mon, 04 Oct 2021 06:51:02 GMT) (full text, mbox, link).


Message #49 received at 990246@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: Sebastian Ramacher <sramacher@debian.org>
Cc: 990246@bugs.debian.org
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Sun, 03 Oct 2021 23:46:08 -0700
[Message part 1 (text/plain, inline)]
Control: tags 990246 +patch

On 2021-08-26, Sebastian Ramacher wrote:
> On 2021-08-25 10:08:07 -0700, Vagrant Cascadian wrote:
>> On 2021-08-25, Sebastian Ramacher wrote:
>> > On 2021-06-23 13:16:47, Vagrant Cascadian wrote:
>> >> The build username and build system hostname are embedded in binaries
>> >> shipped in vlc:
>> >> 
>> >>   https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html
>> >> 
>> >>   ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 
>> >> 
>> >>   pbuilder1
>> >>   vs.
>> >>   pbuilder2
>> >> 
>> >>   ionos11-amd64
>> >>   vs.
>> >>   i-capture-the-hostname
>> >> 
>> >> The attached patch fixes this by setting VLC_COMPILE_BY and
>> >> VLC_COMPILE_HOST to empty values in configure.ac.
>> >
>> > NACK. This information is part of the logs that are usually requested
>> > from users by upstream. We want to have this information included in the
>> > log so that upstream can easily identify where the logs are coming from
>> > and what they are using. And for that purpose, a self-built deb or one
>> > from a downstream distribution is different from the Debian one.
>> 
>> The username and hostname of the build seems a rather imprecise way to
>> find out information about the origin of the build...
>> 
>> In the context of Debian, a given package+version has specific build
>> logs associated with it findable at https://buildd.debian.org/PACKAGE
>
> A package version doesn't tell me if it's the same version but built by
> Debian, built by Ubuntu, built by Devuan, etc. And given that we receive
> bug reports from downstream distributions also in the Debian BTS, that's
> something I want to know when triaging those reports.
>
> I'd be fine if that says for example, $DIST $ARCH buildd. That would
> only leave custom built debs.

Attached is a patch that was merged upstream, allowing overriding
VLC_COMPILE_BY and VLC_COMPILE_HOST from configure.

The second patch modifies Debian rules to pass information about the
build host (DEB_VENDOR, DEB_HOST_ARCH, DEB_HOST_GNU_TYPE) via
VLC_COMPILE_BY and VLC_COMPILE_HOST passed to configure.

Hopefully this is sufficient to address the concerns of uniquely
identifying a build...


Thanks for considering!


live well,
  vagrant
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Vagrant Cascadian <vagrant@reproducible-builds.org> to 990246-submit@bugs.debian.org. (Mon, 04 Oct 2021 06:51:02 GMT) (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>:
Bug#990246; Package src:vlc. (Mon, 04 Oct 2021 06:51:04 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Extra info received and forwarded to list. Copy sent to Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>. (Mon, 04 Oct 2021 06:51:04 GMT) (full text, mbox, link).


Message #56 received at 990246@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: Sebastian Ramacher <sramacher@debian.org>
Cc: 990246@bugs.debian.org
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Sun, 03 Oct 2021 23:48:38 -0700
[Message part 1 (text/plain, inline)]
On 2021-10-03, Vagrant Cascadian wrote:
> On 2021-08-26, Sebastian Ramacher wrote:
>> On 2021-08-25 10:08:07 -0700, Vagrant Cascadian wrote:
>>> On 2021-08-25, Sebastian Ramacher wrote:
>>> > On 2021-06-23 13:16:47, Vagrant Cascadian wrote:
>>> >> The build username and build system hostname are embedded in binaries
>>> >> shipped in vlc:
...
>> A package version doesn't tell me if it's the same version but built by
>> Debian, built by Ubuntu, built by Devuan, etc. And given that we receive
>> bug reports from downstream distributions also in the Debian BTS, that's
>> something I want to know when triaging those reports.
>>
>> I'd be fine if that says for example, $DIST $ARCH buildd. That would
>> only leave custom built debs.
>
> Attached is a patch that was merged upstream, allowing overriding
> VLC_COMPILE_BY and VLC_COMPILE_HOST from configure.
>
> The second patch modifies Debian rules to pass information about the
> build host (DEB_VENDOR, DEB_HOST_ARCH, DEB_HOST_GNU_TYPE) via
> VLC_COMPILE_BY and VLC_COMPILE_HOST passed to configure.
>
> Hopefully this is sufficient to address the concerns of uniquely
> identifying a build...

Promised patches attached, really. :)

live well,
  vagrant

[0001-debian-patches-Allow-passing-VLC_COMPILE_BY-and-VLC_.patch (text/x-diff, inline)]
From eb977a8054db3b7ff665687dfc81647f2fc76943 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@debian.org>
Date: Sun, 3 Oct 2021 23:21:41 -0700
Subject: [PATCH 1/2] debian/patches: Allow passing VLC_COMPILE_BY and
 VLC_COMPILE_HOST to configure.

---
 ...ow-passing-VLC_COMPILE_BY-and-VLC_CO.patch | 42 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 43 insertions(+)
 create mode 100644 debian/patches/0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch

diff --git a/debian/patches/0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch b/debian/patches/0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch
new file mode 100644
index 0000000000..32479abfeb
--- /dev/null
+++ b/debian/patches/0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch
@@ -0,0 +1,42 @@
+From: Vagrant Cascadian <vagrant@reproducible-builds.org>
+Date: Wed, 29 Sep 2021 23:18:26 +0000
+Subject: [PATCH] configure.ac: Allow passing VLC_COMPILE_BY and
+ VLC_COMPILE_HOST.
+Origin: https://code.videolan.org/videolan/vlc/-/commit/9e7ed0247dd298fe8597431ae0738882e734011b
+Bug: https://code.videolan.org/videolan/vlc/-/issues/26035
+Bug-Debian: https://bugs.debian.org/990246
+
+This allows passing a specific value instead of inheriting these
+values from the build environment.
+
+Fixes #26035
+
+Backported from upstream commit 9e7ed0247dd298fe8597431ae0738882e734011b
+---
+ configure.ac | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 7db5256a84..614edbc461 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -4324,8 +4324,14 @@ AC_SUBST(VERSION_MINOR)
+ AC_SUBST(VERSION_REVISION)
+ AC_SUBST(VERSION_EXTRA)
+ AC_SUBST(COPYRIGHT_YEARS)
+-AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\\\\\/g'`", [user who ran configure])
+-AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || hostname`", [host which ran configure])
++if [ -z "$VLC_COMPILE_BY" ]; then
++   VLC_COMPILE_BY=`whoami|sed -e 's/\\\/\\\\\\\/g'`
++fi
++AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "$VLC_COMPILE_BY", [user who ran configure])
++if [ -z "$VLC_COMPILE_HOST" ]; then
++   VLC_COMPILE_HOST=`hostname -f 2>/dev/null || hostname`
++fi
++AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "$VLC_COMPILE_HOST", [host which ran configure])
+ AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ *$//'`", [compiler])
+ dnl
+ dnl  Handle substvars that use $(top_srcdir)
+-- 
+2.30.2
+
diff --git a/debian/patches/series b/debian/patches/series
index 4ac56b9c17..c263fa5c89 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0001-configure-fix-linking-on-RISC-V-ISA.patch
 0002-Revert-configure-Require-libmodplug-0.8.9.patch
 0003-Do-not-generate-cache-during-build.patch
+0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch
-- 
2.30.2

[0002-debian-rules-Pass-VLC_COMPILE_HOST-and-VLC_COMPILE_B.patch (text/x-diff, inline)]
From c2eb314b786afef88a225bbfb39f6ceeed85638a Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Wed, 29 Sep 2021 23:13:07 +0000
Subject: [PATCH 2/2] debian/rules: Pass VLC_COMPILE_HOST and VLC_COMPILE_BY to
 configure. (Closes: #990246)

---
 debian/rules | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/rules b/debian/rules
index 92ec896223..b43e06ec1b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -254,6 +254,9 @@ confflags += --disable-altivec
 removeplugins += altivec
 endif
 
+confflags += VLC_COMPILE_HOST=$(DEB_VENDOR)-$(DEB_HOST_ARCH)-$(DEB_HOST_GNU_TYPE)
+confflags += VLC_COMPILE_BY=$(DEB_VENDOR)
+
 # PowerPCSPE specific optimizations
 ifeq (,$(filter-out powerpcspe,$(DEB_HOST_ARCH)))
 DEB_CFLAGS_MAINT_APPEND += -mtune=8548
-- 
2.30.2

[signature.asc (application/pgp-signature, inline)]

Information stored :
Bug#990246; Package src:vlc. (Sun, 10 Oct 2021 01:36:06 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Extra info received and filed, but not forwarded. (Sun, 10 Oct 2021 01:36:06 GMT) (full text, mbox, link).


Message #61 received at 990246-quiet@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: 990246-quiet@bugs.debian.org
Subject: Re: Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Date: Sat, 09 Oct 2021 18:32:42 -0700
[Message part 1 (text/plain, inline)]
Control: forwarded 990246 https://code.videolan.org/videolan/vlc/-/issues/26035

On 2021-08-25, Vagrant Cascadian wrote:
> Control: forwarded 990246 https://savannah.gnu.org/support/index.php?110532

Fixed forwarded URL...


live well,
  vagrant
[signature.asc (application/pgp-signature, inline)]

Changed Bug forwarded-to-address to 'https://code.videolan.org/videolan/vlc/-/issues/26035' from 'https://savannah.gnu.org/support/index.php?110532'. Request was from Vagrant Cascadian <vagrant@reproducible-builds.org> to 990246-quiet@bugs.debian.org. (Sun, 10 Oct 2021 01:36:06 GMT) (full text, mbox, link).


Reply sent to Sebastian Ramacher <sramacher@debian.org>:
You have taken responsibility. (Sat, 12 Mar 2022 22:39:04 GMT) (full text, mbox, link).


Notification sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer. (Sat, 12 Mar 2022 22:39:04 GMT) (full text, mbox, link).


Message #68 received at 990246-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 990246-close@bugs.debian.org
Subject: Bug#990246: fixed in vlc 3.0.17-1
Date: Sat, 12 Mar 2022 22:35:23 +0000
Source: vlc
Source-Version: 3.0.17-1
Done: Sebastian Ramacher <sramacher@debian.org>

We believe that the bug you reported is fixed in the latest version of
vlc, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990246@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastian Ramacher <sramacher@debian.org> (supplier of updated vlc package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 12 Mar 2022 20:40:54 +0100
Source: vlc
Architecture: source
Version: 3.0.17-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>
Changed-By: Sebastian Ramacher <sramacher@debian.org>
Closes: 990246 1004584
Changes:
 vlc (3.0.17-1) unstable; urgency=medium
 .
   * New upstream version 3.0.17
     - Fix build with ffmpeg 5.0 (Closes: #1004584)
   * debian/control:
     - Switch to libidn-dev
     - Bump BD on libopenmpt-modplug-dev
     - Bump Standards-Version
   * debian/copyright:
     - Add missing text to BSD-2-clause
     - Update copyright for 3.0.17
   * debian/patches: Refresh patches
   * debian/rules: Set VLC_COMPILE_BY and VLC_COMPILE_HOST (Closes: #990246)
   * debian/: Update lintian override
Checksums-Sha1:
 2009fa1361d9e43bd5076c026b43be2272f701e3 6309 vlc_3.0.17-1.dsc
 0c8ab67be1989ce9d4e5c4d377f5740c00f53d29 26391800 vlc_3.0.17.orig.tar.xz
 0ebd0704ea5a4fd2262cbb3c1af212eb3f278675 195 vlc_3.0.17.orig.tar.xz.asc
 1a37a1783c611de0da2c1327c43220ff92b5956c 65024 vlc_3.0.17-1.debian.tar.xz
Checksums-Sha256:
 b5aa2c1124147f3943f43cfd4628572468b1f8bd12cd52973c57a5774d49483d 6309 vlc_3.0.17-1.dsc
 48bd9bf337aa107a1524eba57c52dc4a91e29f5a97fbdee92f6a4dba90383cd0 26391800 vlc_3.0.17.orig.tar.xz
 1a7c5ffa348956a0734c5bf91362c6e0c12188e5d2df42a25419a3476dffffc4 195 vlc_3.0.17.orig.tar.xz.asc
 46e1f992d196ec596009704038c6a8113dc7d403820597d70823069f48a34990 65024 vlc_3.0.17-1.debian.tar.xz
Files:
 badec10f80b8f5733e93540ea46d362d 6309 video optional vlc_3.0.17-1.dsc
 42c12ac468a393250ef798e740a42796 26391800 video optional vlc_3.0.17.orig.tar.xz
 2e262873c71335a341fba445bb06b93b 195 video optional vlc_3.0.17.orig.tar.xz.asc
 d4dbf765657eebd7dc22885c7e978f85 65024 video optional vlc_3.0.17-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE94y6B4F7sUmhHTOQafL8UW6nGZMFAmItH1oACgkQafL8UW6n
GZME9xAAubJLkwBepRLBR4ABTy/qdUko+Tl+HJCAncfXEdkvukOBkKdSklUQzWAG
2UOJgqUDbcqIijdQHFrR/iNPaoxb6E8W5cyDUV84gUorEoxHNDQ6S1b8rrXgRdmd
2dLcFxlSnJ37eTS8IBCDcw8IyLO1/bmLpxOw39owksJMwjUUtTKbK0RdTc6gKWxB
fIpnyIc5BfxX6+2s81UhArsJLRa8IVvKZTqSunaB/JHPPpJqOobU48Sjguq5FqYu
onYtfQtygQkI1R5SfmgzTQfpuv/B65oyM62sMuarIfeIbQKh8An3qx75S4HRjfQY
d/Ad6RZVTyoArvUcyHxaP/Udecmpo0mgMRokVpVzLVajyt5JGDEr3qsCcfvA07UL
8/nh/vDxljhlt1zDRDO22AEFHhkIjxj0eHmjLmNdWL2wGc9brxGWvEp3XKkm3siR
GJ3rtRkP/RAdLBupTKWTSt9w4QHmsdYS/r+abm0eYFl9duCyp3nJ5OiOzz9t8Kig
tEmWi/ku1tsHOA7m3jULKcO1DrU+Gow8chAZi43vyHAcZBy4QyRxHEcF1SpoTxVX
ssAPJ5VuIHLYXT6eu+sQrIbrjMN5LdyJiQNOT8A8/ji+hKApfX4QQoZxMU6HweEY
Jyk89kHLQxxx7fFb4r43AxaLXufullw9LTxaSzpSxe80FvHTCA0=
=bN1U
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 14 Apr 2022 07:26:46 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 31 00:27:34 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.