990323">

Debian Bug report logs - #990323
volume-key: reproducible-builds: Example Makefiles embed build paths and binary paths

version graph

Package: src:volume-key; Maintainer for src:volume-key is Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>;

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Fri, 25 Jun 2021 17:42:01 UTC

Severity: normal

Tags: patch

Fixed in version volume-key/0.3.12-4

Done: Michael Biebl <biebl@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#990323; Package src:volume-key. (Fri, 25 Jun 2021 17:42:03 GMT) (full text, mbox, link).


Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 25 Jun 2021 17:42:03 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: submit@bugs.debian.org
Subject: volume-key: reproducible-builds: Example Makefiles embed build paths and binary paths
Date: Fri, 25 Jun 2021 10:39:27 -0700
[Message part 1 (text/plain, inline)]
Source: volume-key
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: buildpath usrmerge shell
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The build path, several binary paths, and the value of the SHELL
variable are embedded in example Makefiles shipped in the package:

  https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/volume-key.html

  ./usr/share/doc/volume_key/contrib/Makefile.gz

  ACLOCAL·=·${SHELL}·'/build/1st/volume-key-0.3.12/admin/missing'·aclocal-1.16
  vs.
  ACLOCAL·=·${SHELL}·'/build/2/volume-key-0.3.12/2nd/admin/missing'·aclocal-1.16

  GREP·=·/bin/grep
  vs.
  GREP·=·/usr/bin/grep

  SHELL·=·/bin/bash
  vs.
  SHELL·=·/bin/sh

Since these values may differ with the installed system, in order to use
the example Makefiles, a person would have to regenerate them from
Makefile.am or Makefile.in, which are also provided.

The attached patch adjusts debian/rules to remove the Makefile before
running dh_install.


If that is somehow not an option, an alternate option would be to
sanitize the Makefiles stripping the build path (or replacing with
/usr/src?), and possibly passing various variables to configure
(e.g. GREP=/bin/grep, SHELL=/bin/sh, ...).


Thanks for maintaining volume-key!


live well,
  vagrant
[0001-debian-rules-Remove-Makefile-to-resolve-reproducibil.patch (text/x-diff, inline)]
From a751749dabf2dd4b87796cb5924ba7e0d0cf7cf5 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Fri, 25 Jun 2021 17:25:14 +0000
Subject: [PATCH] debian/rules: Remove Makefile to resolve reproducibility
 issues.

The build path, several binary paths, and the value of the SHELL
variable are embedded in a Makefile shipped in the package.

Since these values may differ with the installed system, in order to use
the example Makefiles, a person would have to regenerate them from
Makefile.am or Makefile.in, which are also provided.
---
 debian/rules | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/debian/rules b/debian/rules
index 3e2b027..0ba6e6a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -16,6 +16,8 @@ override_dh_auto_configure:
 
 override_dh_install:
 	find debian/tmp -name '*.la' -print -delete
+	# Remove example Makefile to fix reproducibility issues
+	find contrib -name Makefile -print -delete
 	dh_install
 
 override_dh_missing:
-- 
2.32.0

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>:
Bug#990323; Package src:volume-key. (Fri, 25 Jun 2021 19:03:03 GMT) (full text, mbox, link).


Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>. (Fri, 25 Jun 2021 19:03:03 GMT) (full text, mbox, link).


Message #10 received at 990323@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>
To: Vagrant Cascadian <vagrant@reproducible-builds.org>, 990323@bugs.debian.org
Subject: Re: [Pkg-utopia-maintainers] Bug#990323: volume-key: reproducible-builds: Example Makefiles embed build paths and binary paths
Date: Fri, 25 Jun 2021 21:00:57 +0200
[Message part 1 (text/plain, inline)]
Am 25.06.21 um 19:39 schrieb Vagrant Cascadian:
> The attached patch adjusts debian/rules to remove the Makefile before
> running dh_install.

Personally, I would probably just drop the following line from 
debian/volume-key.install

contrib usr/share/doc/volume_key

Any objections? Does anyone find those scripts particularly useful?


[OpenPGP_signature (application/pgp-signature, attachment)]

Reply sent to Michael Biebl <biebl@debian.org>:
You have taken responsibility. (Fri, 02 Sep 2022 12:42:05 GMT) (full text, mbox, link).


Notification sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer. (Fri, 02 Sep 2022 12:42:05 GMT) (full text, mbox, link).


Message #15 received at 990323-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 990323-close@bugs.debian.org
Subject: Bug#990323: fixed in volume-key 0.3.12-4
Date: Fri, 02 Sep 2022 12:39:35 +0000
Source: volume-key
Source-Version: 0.3.12-4
Done: Michael Biebl <biebl@debian.org>

We believe that the bug you reported is fixed in the latest version of
volume-key, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990323@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated volume-key package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 02 Sep 2022 13:51:10 +0200
Source: volume-key
Architecture: source
Version: 0.3.12-4
Distribution: unstable
Urgency: medium
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Closes: 990323
Changes:
 volume-key (0.3.12-4) unstable; urgency=medium
 .
   * Team upload
   * Add proper meta data to the patch from the NMU
   * Bump debhelper-compat to 13
   * Drop no longer needed override for dh_missing.
     In compat 13 and later, --fail-missing is the default.
   * Use execute_before instead of override for dh_install
   * Bump Standards-Version to 4.6.1
   * Stop installing AUTHORS and README file twice.
     They are already installed via debian/docs.
   * Stop installing contrib/ directory.
     Besides some example scripts, the directory contains a generated
     Makefile that embeds build paths and thus breaks reproducibility.
     (Closes: #990323)
   * Mark libvolume-key1 and libvolume-key-dev as Multi-Arch: same
Checksums-Sha1:
 490774e27006cda63e86a5ab1a479c3e6062cd72 2286 volume-key_0.3.12-4.dsc
 820165b0a26d38e0fd2a0976340cbb5cfa377c0a 5564 volume-key_0.3.12-4.debian.tar.xz
 7c2a0ecceb0887691f2e2fa97e13aa2e6975deb3 12845 volume-key_0.3.12-4_source.buildinfo
Checksums-Sha256:
 148d80e9f690b6d73bb347875297e94324127c43d0c434494fdaecc0335325a6 2286 volume-key_0.3.12-4.dsc
 e9e439145fdfd7874646f6fb38039d784b69cb52161ff5437e7645708625d6a2 5564 volume-key_0.3.12-4.debian.tar.xz
 a01fe8388807de53a2a8617606d397480797cd11c6d85346d3ef8a20dbdf375f 12845 volume-key_0.3.12-4_source.buildinfo
Files:
 ed55c639f3d3a6834f5900863675b4cb 2286 utils optional volume-key_0.3.12-4.dsc
 1c6da9598f4fac44e6f161634a8ec2cb 5564 utils optional volume-key_0.3.12-4.debian.tar.xz
 b9936eeab4fff3982387f44cf9d73dd9 12845 utils optional volume-key_0.3.12-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmMR9MoACgkQauHfDWCP
Itxjtg/8DLIFEnbZvFFoJB/oZDUKh2UtajwPqFpXA2wzxmGNtZF/h6vvteE+BokZ
O1R32Q14M1MhJT2furCWohVFfHy70lZCInPF0OtdBzOt3gyLuQ+Yjc8k7SMbxcxu
n1Vakj6nWZOtP7RbtKTSBuWurZ62zyg/jVW5ti+Fn8+5AUvFeYRCOELc6mDBV/Sk
sliH3H2FqZv9wPQkrqOjSG9Hb4BT3e2Wl3/ODloeYEZbS2EojlU4Bx8mcc++737D
kmJlC9Eba5E5xyp6e7co+ad8voeiJBIrAfbTw8+1FunJF/OJGgBvWFp6wrQuerOP
0N1yXyf0CvTQohm77TfWO9oLgYOR6q7eQbQsV2pN74VCX6/TuPJmCp5k3RJCaW/U
i59NUEvblc22j2G/8kudlCVEfrVgbLLZmsbDLogvI/jmiXLden4+z8qTvJFuA1kd
S4UyHxLlwZJidIG1ocadOjlQvHkY011pJqEE902Fk80AM4O4M3ATb6xVEFpwBNP+
0HuGfQAgJnUpVJEAdrLDOOH95SlHW1IPsIQFlhjobeTaBI9wrAP2oNLUsoMFcFGA
kHXekV+qGFvO7DuDO1jnFgeaD+UWawj7vY0ElHhsgKF+sLp9cCeDiBmoeD/iQKYK
d28OuWKy88ATojjyDpIpxSQ605CRfDS6wEpsqfw0HnI1ropm4H0=
=D3ct
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 11 Oct 2022 07:25:54 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Jan 31 00:43:07 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.