990253">

Debian Bug report logs - #990253
pmix: reproducible builds: Embeds build username and hostname in binaries

version graph

Package: src:pmix; Maintainer for src:pmix is Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>;

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Wed, 23 Jun 2021 23:09:02 UTC

Severity: normal

Tags: patch

Fixed in version pmix/4.1.0-1

Done: Alastair McKinstry <mckinstry@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Alastair McKinstry <mckinstry@debian.org>:
Bug#990253; Package src:pmix. (Wed, 23 Jun 2021 23:09:04 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Alastair McKinstry <mckinstry@debian.org>. (Wed, 23 Jun 2021 23:09:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: submit@bugs.debian.org
Subject: pmix: reproducible builds: Embeds build username and hostname in binaries
Date: Wed, 23 Jun 2021 16:05:12 -0700
[Message part 1 (text/plain, inline)]
Source: pmix
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: username hostname
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The build username and build system hostname are embedded in binaries
shipped in pmix:

  https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/pmix.html

  ./usr/bin/pmix_info

  PMIx·pbuilder1@ionos5-amd64·Distribution
  vs.
  PMIx·pbuilder2@i-capture-the-hostname·Distribution

The attached patch fixes this by setting USER and HOSTNAME from
debian/rules, as documented in the upstream README.

This patch does not address all reproducibility issues in pmix
(e.g. build paths), though applying it reduces the diff for the
remaining issues.

Thanks for maintaining pmix!

live well,
  vagrant
[0001-debian-rules-Set-USER-and-HOSTNAME-to-avoid-embeddin.patch (text/x-diff, inline)]
From f0aeb53422edeeebc83a6b6e05c90094f1e93d56 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Wed, 23 Jun 2021 22:50:58 +0000
Subject: [PATCH] debian/rules: Set USER and HOSTNAME to avoid embedding in
 binaries.

The upstream README documents setting USER and HOSTNAME to avoid
embedding the build username and build hostname to achieve
Reproducible Builds.

https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html
---
 debian/rules | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/debian/rules b/debian/rules
index aca41ec..d46a821 100755
--- a/debian/rules
+++ b/debian/rules
@@ -20,6 +20,10 @@ endif
 
 export LD_LIBRARY_PATH:=$(CURDIR)/debian/tmp/$(LIBDIR):$(LD_LIBRARY_PATH)
 
+# Do not embed build username or build system hostname, see README
+export HOSTNAME=hostname
+export USER=username
+
 %:
 	dh $@ 
 
-- 
2.32.0

[signature.asc (application/pgp-signature, inline)]

Reply sent to Alastair McKinstry <mckinstry@debian.org>:
You have taken responsibility. (Thu, 12 Aug 2021 10:51:03 GMT) (full text, mbox, link).


Notification sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer. (Thu, 12 Aug 2021 10:51:03 GMT) (full text, mbox, link).


Message #10 received at 990253-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 990253-close@bugs.debian.org
Subject: Bug#990253: fixed in pmix 4.1.0-1
Date: Thu, 12 Aug 2021 10:48:38 +0000
Source: pmix
Source-Version: 4.1.0-1
Done: Alastair McKinstry <mckinstry@debian.org>

We believe that the bug you reported is fixed in the latest version of
pmix, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990253@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alastair McKinstry <mckinstry@debian.org> (supplier of updated pmix package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 12 Aug 2021 10:24:33 +0100
Source: pmix
Binary: libpmix-bin libpmix-bin-dbgsym libpmix-dev libpmix2 libpmix2-dbgsym python3-pmix python3-pmix-dbgsym
Architecture: source amd64
Version: 4.1.0-1
Distribution: experimental
Urgency: medium
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Alastair McKinstry <mckinstry@debian.org>
Description:
 libpmix-bin - Process Management Interface (Exascale) library - tools
 libpmix-dev - Development files for the PMI Exascale library
 libpmix2   - Process Management Interface (Exascale) library
 python3-pmix - Process Management Interface (Exascale) library - Python wrapper
Closes: 990253
Changes:
 pmix (4.1.0-1) experimental; urgency=medium
 .
   * New upstream release
   * Include reproducibility patch from Vagrant Cascadian. Closes: #990253
   * Add libevent-dev, libhwloc-dev and zlib1g-dev to libpmix-dev's Depends
Checksums-Sha1:
 f94a9197382a01d91ed06e923c4782937e3182f0 2231 pmix_4.1.0-1.dsc
 53f95d544a6b43d035965f432f136fa828e8281d 1171216 pmix_4.1.0.orig.tar.xz
 477c8d3885e57110bc4e8c4070d48be656b169ec 9072 pmix_4.1.0-1.debian.tar.xz
 84d0b57c89851cb19574587094bb783d67841a41 143592 libpmix-bin-dbgsym_4.1.0-1_amd64.deb
 8644efeeb51055c7e4f7f857564a91a4f3fc6889 39736 libpmix-bin_4.1.0-1_amd64.deb
 458206db8d564402fd6fa94e6e5dcf7b4e3d74b7 711664 libpmix-dev_4.1.0-1_amd64.deb
 e274500583e4c5770e1daeb84b8ea52576003eab 2385104 libpmix2-dbgsym_4.1.0-1_amd64.deb
 fa58949512f43e3a7afaaad4c3a6536917ae1f1c 567828 libpmix2_4.1.0-1_amd64.deb
 621a0153d61880e9db1fd55ae35393c77cca01a0 10260 pmix_4.1.0-1_amd64.buildinfo
 0b312152de7781eed90581c8f4c34fd72d5fcfa0 1280164 python3-pmix-dbgsym_4.1.0-1_amd64.deb
 1d382d109aa272adc24bd12194dc967debd26b8e 277812 python3-pmix_4.1.0-1_amd64.deb
Checksums-Sha256:
 9842788b12c44b4a89595f98ea4cdf715136e63fc1e5a353da439e58cd8e4ce1 2231 pmix_4.1.0-1.dsc
 0f57fedb377e84e34c2af3f6e6e0e4289fcb98755187f740b673dba4f7709f7d 1171216 pmix_4.1.0.orig.tar.xz
 edf813a2c87d50b236d05a98e1a47a5312aa4712390e40edabb902e4c0f918c6 9072 pmix_4.1.0-1.debian.tar.xz
 6e0a19df93ecc4fe0446b90a5abf9be0b58fbd6afdb42ab3c4f8b3e954f66323 143592 libpmix-bin-dbgsym_4.1.0-1_amd64.deb
 92709cdd22d78ecda7de98dd0f90e813e7816c592998ba56cabe5227b7fb2b4c 39736 libpmix-bin_4.1.0-1_amd64.deb
 4edae5b5e224ecbb0fe1d40d2db758a0864bf370796190798dd6fb66fdfc7587 711664 libpmix-dev_4.1.0-1_amd64.deb
 2e9805794d1708d2d885c2aa99e27497c38b9e3c45e44848fc6c5d1f5ee489f5 2385104 libpmix2-dbgsym_4.1.0-1_amd64.deb
 dc52781c9120577f7fc24dd69bcfd41ec3793f26ef076571bf69ca5a11e45f01 567828 libpmix2_4.1.0-1_amd64.deb
 bfd5c73b0b7872812fb1ac52245c4c34b73f4661e1c1efc434f63f8badc79af7 10260 pmix_4.1.0-1_amd64.buildinfo
 498c96067d9933e41c265513165b0cc7c5b22396e32da57e7e4bdf2ecf70d11c 1280164 python3-pmix-dbgsym_4.1.0-1_amd64.deb
 e5ddee616603c948884cf2aaa44a5a9dd9cf773a3bd8c2380ee7e2cc56f58d8f 277812 python3-pmix_4.1.0-1_amd64.deb
Files:
 fd0309f5de848ae496255c09b43d2249 2231 net optional pmix_4.1.0-1.dsc
 445a0ce37ab19deb5d2b00f9df177761 1171216 net optional pmix_4.1.0.orig.tar.xz
 c95b6520d8d2ecec986cd2e465fcac17 9072 net optional pmix_4.1.0-1.debian.tar.xz
 8534620b79fddaf328f03f655662015d 143592 debug optional libpmix-bin-dbgsym_4.1.0-1_amd64.deb
 a6b54f187e5e8497a664e0ab8a1bf92d 39736 net optional libpmix-bin_4.1.0-1_amd64.deb
 9132cca2c45a149f5bf0e5e583addd3c 711664 libdevel optional libpmix-dev_4.1.0-1_amd64.deb
 38a429b9494f662c2c5ac215426be4b5 2385104 debug optional libpmix2-dbgsym_4.1.0-1_amd64.deb
 575a6fdfb1289ee05fc13007797556f4 567828 libs optional libpmix2_4.1.0-1_amd64.deb
 04b1f94d4822688470eace1f58484ab7 10260 net optional pmix_4.1.0-1_amd64.buildinfo
 80be0501f11c445a0066a442380eac39 1280164 debug optional python3-pmix-dbgsym_4.1.0-1_amd64.deb
 e5f4d05cb51e7f21d6139c2515544aea 277812 net optional python3-pmix_4.1.0-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEgjg86RZbNHx4cIGiy+a7Tl2a06UFAmEU+VkACgkQy+a7Tl2a
06WyBw/7B4xiK6cgI+Uzod72dcamnWIq88gt+sxr443UmWOJiaV97AnhBzaC5eTO
J/JgO5R66VSQfKVY31asy+L6ZP2cfBDfYZanHFPvglN0ukBb+o7RPk79KScaByOl
DlOys7I+v0sFJVswt+Zkh6sR/xf46dJ45mKC0uj05Q+qp+2LVdHWbb98MVD7ZM2+
JJ15ZkJwRN0nM5qTRmwyiIVl5cTiPzYeS3FMFC+9vbHuTH9WsEO6SEhGvXn0yu5s
7mEvs1Fw+BNwE2GmoyvtWCIt3mu4E00eEhyQ93JA/yAOnDIXWZZeJ8RthzeYZw7Y
x+xmh2+IVfSuuAumV3zUtrkHgmDzXpI+Puz/+DerLGz+swwX9qIn5M1K2Ult71w6
hmwrIlLWsbSZf7fjB1dY235XTRfSconeVDJb2AcwdZ02f61Xrxe58KzE1eRQNDRG
nHsJFHLwOmPD9QF6KdqOMbl1ykrKFomoBi5R0/uLYLDYXZXuCvg2cSEzWRwndAZW
a+osp0phQAqf5Bu7WsCZm8JeG7asN7GL3FcAR/uuhg9EnY+Spas+aJV7AjAG+zan
Y2gghYv8OfCOX0QvLe3idaehDMq0tul+MTHRvroMe6WH/8YvzzrpTa9TU0oh/CY2
HOvswbxRjr/35eVfGXVR5q1sJsQ15U5PPLQ1GginLsbL/SRXdbE=
=NW3E
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 10 Sep 2021 07:25:13 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 31 00:43:20 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.