990254">

Debian Bug report logs - #990254
openmpi: reproducible builds: Embeds build username and hostname in binaries

version graph

Package: src:openmpi; Maintainer for src:openmpi is Debian Science Maintainers <debian-science-maintainers@lists.alioth.debian.org>;

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Wed, 23 Jun 2021 23:15:02 UTC

Severity: normal

Tags: patch

Fixed in version openmpi/4.1.1-3

Done: Alastair McKinstry <mckinstry@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Alastair McKinstry <mckinstry@debian.org>:
Bug#990254; Package src:openmpi. (Wed, 23 Jun 2021 23:15:04 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Alastair McKinstry <mckinstry@debian.org>. (Wed, 23 Jun 2021 23:15:04 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: submit@bugs.debian.org
Subject: openmpi: reproducible builds: Embeds build username and hostname in binaries
Date: Wed, 23 Jun 2021 16:09:59 -0700
[Message part 1 (text/plain, inline)]
Source: openmpi
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: username hostname
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The build username and build system hostname are embedded in binaries
shipped in openmpi:

  https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/openmpi.html

  ./usr/bin/ompi_info

  ionos11-amd64
  vs.
  i-capture-the-hostname

  pbuilder1
  vs.
  pbuilder2

The attached patch fixes this by setting USER and HOSTNAME from
debian/rules, as documented in the upstream README.


This patch does not address all reproducibility issues in openmpi
(e.g. build paths), though applying it reduces the diff for the
remaining issues.


Thanks for maintaining openmpi!


live well,
  vagrant
[0001-debian-rules-Set-USER-and-HOSTNAME-to-avoid-embeddin.patch (text/x-diff, inline)]
From feca5c55322a9d86b2e6d11dfcf338198c1c78aa Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Wed, 23 Jun 2021 22:55:51 +0000
Subject: [PATCH] debian/rules: Set USER and HOSTNAME to avoid embedding in
 binaries.

The upstream README documents setting USER and HOSTNAME to avoid
embedding the build username and build hostname to achieve
Reproducible Builds.

https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html
---
 debian/rules | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/rules b/debian/rules
index 0489ab0d..7eac2ee6 100755
--- a/debian/rules
+++ b/debian/rules
@@ -73,6 +73,9 @@ FCFLAGS += -O3
 #STATIC_CONFIG_PARAMS = --enable-static
 STATIC_CONFIG_PARAMS =  
 
+# Do not embed build username or build system hostname, see README
+export HOSTNAME=hostname
+export USER=username
 
 %:
 	dh $@ 
-- 
2.32.0

[signature.asc (application/pgp-signature, inline)]

Reply sent to Alastair McKinstry <mckinstry@debian.org>:
You have taken responsibility. (Fri, 27 Aug 2021 12:51:08 GMT) (full text, mbox, link).


Notification sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer. (Fri, 27 Aug 2021 12:51:08 GMT) (full text, mbox, link).


Message #10 received at 990254-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 990254-close@bugs.debian.org
Subject: Bug#990254: fixed in openmpi 4.1.1-3
Date: Fri, 27 Aug 2021 12:48:54 +0000
Source: openmpi
Source-Version: 4.1.1-3
Done: Alastair McKinstry <mckinstry@debian.org>

We believe that the bug you reported is fixed in the latest version of
openmpi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990254@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alastair McKinstry <mckinstry@debian.org> (supplier of updated openmpi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 27 Aug 2021 12:04:06 +0100
Source: openmpi
Architecture: source
Version: 4.1.1-3
Distribution: unstable
Urgency: medium
Maintainer: Alastair McKinstry <mckinstry@debian.org>
Changed-By: Alastair McKinstry <mckinstry@debian.org>
Closes: 945120 975995 979877 990254 993038 993041
Changes:
 openmpi (4.1.1-3) unstable; urgency=medium
 .
   * Don't embed username, hostname in binaries. Closes: #990254.
     Thanks, Vagrant Cascadian
   * Ship libopen-orted-mpir.so in -dev pkg only. Closes: #993041, #993038
   * Close bug fixed in previous release. Closes: #945120
   * Fix FTBFS with missing javadocs in stage1/no java builds.
     Closes: #979877, #975995
Checksums-Sha1:
 e85223155c6f50aadcf627ac84d00e5bc62e5302 2670 openmpi_4.1.1-3.dsc
 ed5a024f43e8da6375915fa14cd69bf8827c9744 67892 openmpi_4.1.1-3.debian.tar.xz
Checksums-Sha256:
 16f256bbc0f110e77832ec80ed40b320e508618b528b601899ea5ca621fdd7ce 2670 openmpi_4.1.1-3.dsc
 9fd21d22c4c5c6954f9a169440e8b0c086f28e84c33038406854d5cf2a0d73a4 67892 openmpi_4.1.1-3.debian.tar.xz
Files:
 c4a0101377f56ae461f498b1aefb13f1 2670 net optional openmpi_4.1.1-3.dsc
 c1d8b8bdf9c36bc44821d172850fb729 67892 net optional openmpi_4.1.1-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEgjg86RZbNHx4cIGiy+a7Tl2a06UFAmEo3L0ACgkQy+a7Tl2a
06V+Hg/+MmupV2cHje1rpVXWrDcV5b1BU9X+6Q++p6NGhgIEeZAztk+uT3fuIitC
EvrYjRqNx2GH21yFd7UGKeHfp3/lfRzxGPkKcqZLgUIP3NICiNHsUhwd3bQAp/ZZ
L7JUWzH9o6L6+scD6+mnO66ZNd6Ko0AvM+KXorbKq67EOOTBoqTaiMdHThzHl3Ip
0KpYXslyEmG1GRPKaF3uvERyHvDVSI8uFtwL9sKBIhokMpB72UzO944VTnqfDpAd
twOYg4TIkoCtrix3BqR3tRiVYDJ2C6cmPX1/UDqjn36c4jEhreKZ78d39s+xYENC
YxDzrXvneC08T56Swg1o+WOi0ayZ2wmvIdSNbS+ERdwBsMJMe9HcnMiKm5o2X5H/
+DmujaHoruUDSh4NOiK6bGNmbxtpTRyURTfWeABoYOyPWzkfLQWMcDotJiYr/T0Q
JtfS0SxqV9blZcXzcfA7P2HhM0B6f1/wRd5qRtUSZTt0lEMBqomuL4staa/lThQm
gNRFNe6F6wBpLRA4KbQG2PSoaIST3OYchutuPkQfCUdKzaF/7m93lHRMrJ/bi9Rh
jVwWEhJEAT4e5NmutG0M6HTcdUsArhNWwm+4E52TkHVwM6WMLRll8ElQW7X9Xq4g
vxmHTVHoxaZwExPqmWfC0u2K+GULyTbw3LFcczQlwVbAiiXIkw4=
=HcZI
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Oct 2021 07:28:14 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 31 00:16:28 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.