Debian Bug report logs -
#1034199
lomiri: reproducible builds: temporary directories embedded in .sh files
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian UBports Team <team+ubports@tracker.debian.org>:
Bug#1034199; Package src:lomiri.
(Mon, 10 Apr 2023 23:15:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian UBports Team <team+ubports@tracker.debian.org>.
(Mon, 10 Apr 2023 23:15:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: lomiri
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
The files in the lomiri tarball appear to be in arbitrary order,
possibly affected by locale or filesystem differences:
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/lomiri.html
/usr/libexec/lomiri/tests/scripts/gdbtestLomiriSortFilterProxyModel.sh
export·HOME=/tmp/tmp.RvWPuq0Oob
vs.
export·HOME=/tmp/tmp.lLVsKmMCrB
The attached patch to an upstream CMakeLists.txt file fixes this by
specifying HOME=/nonexistent.
I have not tested that this actually functions correctly, only that it
fixes the reproducibility issue... however, relying on HOME being set to
a temporary directory at build time is a bit of a security risk (as
anyone can write to /tmp)... an alternate fix might be using mktemp -d
at runtime rather than build time?
According to my local tests, applying this patch (and another soon to be
submitted) should make lomiri build reproducibly on
tests.reproducible-builds.org once lomiri lands in debian testing!
(tests for debian unstable/experimental also test build path variations,
which introduce additional issues)
Thanks for maintaining lomiri!
live well,
vagrant
[0002-tests-plugins-Utils-CMakeLists.txt-Avoid-embedding-a.patch (text/x-diff, inline)]
From 72922583a433728186c3ffeabb6c407e42e63d12 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Mon, 10 Apr 2023 14:16:30 -0700
Subject: [PATCH 2/4] tests/plugins/Utils/CMakeLists.txt: Avoid embedding a
randomized HOME value.
---
tests/plugins/Utils/CMakeLists.txt | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/plugins/Utils/CMakeLists.txt b/tests/plugins/Utils/CMakeLists.txt
index ebf5047..93aa5a9 100644
--- a/tests/plugins/Utils/CMakeLists.txt
+++ b/tests/plugins/Utils/CMakeLists.txt
@@ -20,7 +20,7 @@ foreach(util_test
DESTINATION "${SHELL_PRIVATE_LIBEXECDIR}/tests/plugins/Utils"
)
add_lomiri_unittest(${util_test} ${util_test}TestExec ADD_TEST
- ENVIRONMENT LD_LIBRARY_PATH=${CMAKE_BINARY_DIR}/plugins/Utils HOME=${TMPDIR}
+ ENVIRONMENT LD_LIBRARY_PATH=${CMAKE_BINARY_DIR}/plugins/Utils HOME=/nonexistent
)
endforeach()
--
2.39.2
[signature.asc (application/pgp-signature, inline)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 17 11:44:01 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.