Debian Bug report logs - #846842
nethogs: please make the build reproducible

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: submit@bugs.debian.org

Subject: nethogs: please make the build reproducible

Date: Sat, 03 Dec 2016 18:00:49 +0100

[Message part 1 (text/plain, inline)]

Source: nethogs
Version: 0.8.5-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: builpath
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Hi,

Whilst working on the Reproducible Builds effort [0], we noticed
that nethogs could not be built reproducibly.

This is due to upstream's determineVersion.sh using the output
of "pwd". 

Patch attached. It overrides from debian/changelog.


 [0] https://reproducible-builds.org/


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[nethogs.diff.txt (text/plain, attachment)]

Message #10 received at 846842-close@bugs.debian.org (full text, mbox, reply):

From: Paulo Roberto Alves de Oliveira (aka kretcheu) <kretcheu@gmail.com>

To: 846842-close@bugs.debian.org

Subject: Bug#846842: fixed in nethogs 0.8.5-2

Date: Sun, 04 Dec 2016 13:19:00 +0000

Source: nethogs
Source-Version: 0.8.5-2

We believe that the bug you reported is fixed in the latest version of
nethogs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 846842@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Paulo Roberto Alves de Oliveira (aka kretcheu) <kretcheu@gmail.com> (supplier of updated nethogs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Dec 2016 10:46:00 -0200
Source: nethogs
Binary: nethogs
Architecture: source amd64
Version: 0.8.5-2
Distribution: unstable
Urgency: medium
Maintainer: Paulo Roberto Alves de Oliveira (aka kretcheu) <kretcheu@gmail.com>
Changed-By: Paulo Roberto Alves de Oliveira (aka kretcheu) <kretcheu@gmail.com>
Description:
 nethogs    - Net top tool grouping bandwidth per process
Closes: 846842
Changes:
 nethogs (0.8.5-2) unstable; urgency=medium
 .
   * debian/rules:
       - Added override_dh_auto_build to be built reproducibly (Closes:846842).
         thanks to Chris Lamb <lamby@debian.org>.
Checksums-Sha1:
 2d774db4991db4e74eb318b6340c90b5cfe84f4d 1762 nethogs_0.8.5-2.dsc
 e9bb5d42563885e5c08d4d3d917e9e12be28440e 4820 nethogs_0.8.5-2.debian.tar.xz
 30cfe99841cca6be87726d3bb89787f5bfabcf31 223134 nethogs-dbgsym_0.8.5-2_amd64.deb
 0a366c7a5df0ccab6658b9f8a322c360d7d107f2 5379 nethogs_0.8.5-2_amd64.buildinfo
 a4acaf50c2b4109d6ae376364567bab0904ecf57 30272 nethogs_0.8.5-2_amd64.deb
Checksums-Sha256:
 ebd0fb3d795587ca174654f08701ee477d4cdfbff0b6a49092f611b11835caa9 1762 nethogs_0.8.5-2.dsc
 f2b09cccbe4f762fa7725827e1ce7544bb11a6aae19fa9ffdbaf24c09ac5bb5a 4820 nethogs_0.8.5-2.debian.tar.xz
 aeaf758584ce74b2d1894ae3587dda56d4b51875beedb8e4461f8b8db3a0b529 223134 nethogs-dbgsym_0.8.5-2_amd64.deb
 f23a5f01d9b7ceef4150b11222a2025e69e3a32264853bb339bfc9121a160f4c 5379 nethogs_0.8.5-2_amd64.buildinfo
 7c4cfb10530dd558a21aede3da2c6f1cd4a1e6a78c473502d848959a6d0d27eb 30272 nethogs_0.8.5-2_amd64.deb
Files:
 b5134bddb9e4d90977b005335b1896f2 1762 net optional nethogs_0.8.5-2.dsc
 17df29d4b0017811adf9e86e3f522aaa 4820 net optional nethogs_0.8.5-2.debian.tar.xz
 399a801e8ef1fc5cadbfdb60c182bffc 223134 debug extra nethogs-dbgsym_0.8.5-2_amd64.deb
 3d2d943c21d074e9426a27de665125e5 5379 net optional nethogs_0.8.5-2_amd64.buildinfo
 cb7cbd8b8a26f98752989ab75ab88f31 30272 net optional nethogs_0.8.5-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEXjotitpi0kBiLshCOfF6X1rvvnMFAlhEE7UACgkQOfF6X1rv
vnNBYQ/+M2K4geSQWZGN5vQHXT2GePoMn7Rmgll2LoyHMSJtl+SjGRbvfqHap8ou
avPV+twGcHle6c6iXUnweuC3zzs4yFbksXFgVereSfnez3oQjgXRLT+F9DeSWkzb
MQIf++ctNhGsslISerQtA3tFWWL251eQ0afqTlD34jG0zvfDNozrf93k65qQScky
AEsz0pvaHboSAk5wlycVxPH31p32SZV3QcFkWoubQYYUdeLAHcNZhWb5O1PCDss4
Ny6T87iM5qfOS0AzyWnyvRsVWKpf5iFLqNX4YyomyFACUTPlgKv08hb96xETn63d
CjdYQByNuL0vLoOmXEvcRA8mf/TB02nxJP7BswlyMWQouEsVh+6OqKpRaAnz1/y4
hfrh3RgrRsJzVq6YgKzmJe44KDWwlcZeJGoHzcBiHKA7fNxFH04mw0rHtRv5CqrZ
1gP5Q06Ic21zPxh868vQmS9o84C+qwRMh3XGpm1fLin9/pW30tARPfo7wbe1++ul
7QexsIXVXmBmB+dp5aZTOBO1sRQhJbJYqGJrj930Ra4OrfiILMGwManSvpGe/04f
lnGf/TX3qsJWC3T2/PW+NMpOK3PdJYeoBIV3T64swxFaiLfzFoJVUCiWoXd/XDaw
uKBAxVOMWrtehAbzOAdHEs+D+5NudY+2jykoBBsPmEHJvvHn1hs=
=GLvl
-----END PGP SIGNATURE-----

Message #15 received at 846842@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 846842@bugs.debian.org

Subject: Fwd: Re: Bug#846842: nethogs: please make the build reproducible

Date: Fri, 23 Dec 2016 10:46:16 +0000

[Forwarding to BTS]

----- Original message -----
From: Arnout Engelen <arnout@bzzt.net>
To: Chris Lamb <lamby@debian.org>
Subject: Re: Bug#846842: nethogs: please make the build reproducible
Date: Fri, 23 Dec 2016 11:37:55 +0100

Hi Chris,

First off, thanks for your efforts in making the builds more reproducible,
this is an important topic.

I'm the upstream nethogs author/maintainer, and I'd like to see if there's
something more I can do to help.

'determineVersion.sh' indeed uses `pwd` (when building from outside git).
Indeed in general leaking the full build path into the artifact seems like
a bad idea (https://reproducible-builds.org/docs/build-path/). In this
particular case, though, I only use the last segment of the path to
determine the version.

To me it doesn't sound unreasonable to consider the last segment of the
build path part of the build environment (so I already consider the nethogs
build 'reproducible' in that regard). Do you have any thoughts on that?


Kind regards,

Arnout

On Sat, Dec 3, 2016 at 6:00 PM, Chris Lamb <lamby@debian.org> wrote:

> Source: nethogs
> Version: 0.8.5-1
> Severity: wishlist
> Tags: patch
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: builpath
> X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
>
> Hi,
>
> Whilst working on the Reproducible Builds effort [0], we noticed
> that nethogs could not be built reproducibly.
>
> This is due to upstream's determineVersion.sh using the output
> of "pwd".
>
> Patch attached. It overrides from debian/changelog.
>
>
>  [0] https://reproducible-builds.org/


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #20 received at 846842@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Arnout Engelen <arnout@bzzt.net>

Cc: 846842@bugs.debian.org

Subject: Re: Bug#846842: nethogs: please make the build reproducible

Date: Fri, 23 Dec 2016 10:52:42 +0000

[Please retain 846842@bugs.debian.org in CC]

Hey Arnout,

Thanks for getting in touch and for your kind words on reproducible
builds. :)

> To me it doesn't sound unreasonable to consider the last segment of the
> build path part of the build environment

Could you elaborate why? We feel that the entire build path including
the basename(1) (or "last segment") to be:

  a) something up to the local package builder to decide.

  b) A poor method of storing metadata. It seems quite fragile and also
     non-intuitive; if a user searches the source tree for the version
     number, they won't actually find it within any of the files!

Our comprehensive testing framework deliberately varies this build path
to flush out these issues FYI.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #25 received at 846842@bugs.debian.org (full text, mbox, reply):

From: Arnout Engelen <arnout@bzzt.net>

To: Chris Lamb <lamby@debian.org>

Cc: 846842@bugs.debian.org

Subject: Re: Bug#846842: nethogs: please make the build reproducible

Date: Tue, 10 Jan 2017 14:48:28 +0100

[Message part 1 (text/plain, inline)]

On Fri, Dec 23, 2016 at 11:52 AM, Chris Lamb <lamby@debian.org> wrote:

> > To me it doesn't sound unreasonable to consider the last segment of the
> > build path part of the build environment
>
> Could you elaborate why? We feel that the entire build path including
> the basename(1) (or "last segment") to be:
>
>   a) something up to the local package builder to decide.
>
>   b) A poor method of storing metadata. It seems quite fragile and also
>      non-intuitive; if a user searches the source tree for the version
>      number, they won't actually find it within any of the files!
>

Not having the version in the source tree is actually intentional: this
way, we can promote a certain commit to 'release' without having to add
'bump version to X'/'bump version to (X+1)-SNAPSHOT'-style commits to the
history.

This way we avoid some risks:

- if you commit the released versions, people branching from that commit
might accidentally build binaries that seem/claim to also be that version
even though they aren't. When using tags instead, you can't really
accidentally tag multiple commits with the same tag.

- if you don't commit the final version (and commit 'x.y.z+1-SNAPSHOT' or
something similar instead), there is no commit that is byte-per-byte
identical to a git commit. I like to have that (I can even sign that commit
which is nice).

Our comprehensive testing framework deliberately varies this build path to
> flush out these issues FYI.
>

Yes I figured it was probably intentional, so I thought I'd reach out and
find out why :).


Kind regards,

Arnout

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.