Debian Bug report logs - #880827
roundcube: please make the build reproducible

version graph

Package: src:roundcube; Maintainer for src:roundcube is Debian Roundcube Maintainers <pkg-roundcube-maintainers@alioth-lists.debian.net>;

Reported by: Chris Lamb <lamby@debian.org>

Date: Sat, 4 Nov 2017 22:18:02 UTC

Severity: wishlist

Tags: patch

Found in version roundcube/1.3.1+dfsg.1-1

Fixed in version roundcube/1.3.3+dfsg.1-1

Done: Guilhem Moulin <guilhem@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>:
Bug#880827; Package src:roundcube. (Sat, 04 Nov 2017 22:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>. (Sat, 04 Nov 2017 22:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: submit@bugs.debian.org
Subject: roundcube: please make the build reproducible
Date: Sat, 04 Nov 2017 22:15:55 +0000
[Message part 1 (text/plain, inline)]
Source: roundcube
Version: 1.3.1+dfsg.1-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Hi,

Whilst working on the Reproducible Builds effort [0], we noticed
that roundcube could not be built reproducibly.

This is because it extracts zipfiles as part of the build in
debian/install-jsdeps.sh which need normalising.

Patch attached.

 [0] https://reproducible-builds.org/


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[roundcube.diff.txt (text/plain, attachment)]

Reply sent to Guilhem Moulin <guilhem@debian.org>:
You have taken responsibility. (Thu, 09 Nov 2017 05:09:11 GMT) (full text, mbox, link).

Notification sent to Chris Lamb <lamby@debian.org>:
Bug acknowledged by developer. (Thu, 09 Nov 2017 05:09:11 GMT) (full text, mbox, link).

Message #10 received at 880827-close@bugs.debian.org (full text, mbox, reply):

From: Guilhem Moulin <guilhem@debian.org>
To: 880827-close@bugs.debian.org
Subject: Bug#880827: fixed in roundcube 1.3.3+dfsg.1-1
Date: Thu, 09 Nov 2017 05:04:44 +0000
Source: roundcube
Source-Version: 1.3.3+dfsg.1-1

We believe that the bug you reported is fixed in the latest version of
roundcube, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 880827@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guilhem Moulin <guilhem@debian.org> (supplier of updated roundcube package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 09 Nov 2017 05:32:13 +0100
Source: roundcube
Binary: roundcube-core roundcube roundcube-mysql roundcube-pgsql roundcube-sqlite3 roundcube-plugins
Architecture: source all
Version: 1.3.3+dfsg.1-1
Distribution: unstable
Urgency: high
Maintainer: Debian Roundcube Maintainers <pkg-roundcube-maintainers@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Description:
 roundcube  - skinnable AJAX based webmail solution for IMAP servers - metapack
 roundcube-core - skinnable AJAX based webmail solution for IMAP servers
 roundcube-mysql - metapackage providing MySQL dependencies for RoundCube
 roundcube-pgsql - metapackage providing PostgreSQL dependencies for RoundCube
 roundcube-plugins - skinnable AJAX based webmail solution for IMAP servers - plugins
 roundcube-sqlite3 - metapackage providing SQLite dependencies for RoundCube
Closes: 876722 877275 880194 880827
Changes:
 roundcube (1.3.3+dfsg.1-1) unstable; urgency=high
 .
   * New upstream release.  It primarily fixes a recently discovered file
     disclosure vulnerability caused by insufficient input validation in
     conjunction with file-based attachment plugins, which are used by default.
     More details will be published under CVE-2017-16651.
   * debian/rules:
     + Make the build reproducible.  Thanks to Chris Lamb for the report and
       patch.  (Closes: #880827.)
     + Run `chmod 0755 plugins/password/helpers/*.p[ly]`
     + Fix precedence in find(1) call in override_dh_install.  Thanks to Chris
       Lamb for the report and patch.  (Closes: #876722.)
   * debian/control:
     + Replace "Priority: extra" (deprecated since Debian Policy 4.0.1) with
       "Priority: optional".
     + Bump Standards-Version to 4.1.0 (no changes needed).
     + Promote php-mysql to first alternative in roundcube-mysql's
       dependencies: it currently depends on php7.0-mysql, which in turns
       provides virtual package php-mysqlnd.
   * Patch /etc/roundcube/htaccess to use mod_php7.c in the <IfModule>
     directive.  Thanks to Peter Nowee for the report and patch.  (Closes:
     #880194.)
   * debian/roundcube-core.preinst: Add "#DEBHELPER#" placeholder.
   * debian/roundcube-core.links: Remove robots.txt, which is no longer shipped
     by the package since 1.3.0+dfsg.1-1.  (Closes: #877275.)
Checksums-Sha1:
 09fe5015dd54c809338d612174dd01397ad90baa 2463 roundcube_1.3.3+dfsg.1-1.dsc
 9db40ddb2cefeac07af51b5716fe24e6c95469fd 3026091 roundcube_1.3.3+dfsg.1.orig.tar.gz
 3a9f5422f2389235ff93fa07e727d24b89bf0dd7 3004724 roundcube_1.3.3+dfsg.1-1.debian.tar.xz
 a61a08e04417ee377d9cc8b72129d1f567aed170 1760764 roundcube-core_1.3.3+dfsg.1-1_all.deb
 939a2d945d41d28e9976a5ad957d723586c52e25 75772 roundcube-mysql_1.3.3+dfsg.1-1_all.deb
 4dcb48ddfb26fb25d030aaa6e3529cb79a662003 75748 roundcube-pgsql_1.3.3+dfsg.1-1_all.deb
 fbe9f1276b42a700a7400312c6c3247d7721ad2d 684276 roundcube-plugins_1.3.3+dfsg.1-1_all.deb
 68cfa30b87e0e5bb3d52342afa1f529b68d53b78 75728 roundcube-sqlite3_1.3.3+dfsg.1-1_all.deb
 ba3b686d2af7661b3be1bffecf9758b3c42df82b 1436 roundcube_1.3.3+dfsg.1-1_all.deb
 777c05a91ef173d0588ff2594a4dbfe89b6ed957 8727 roundcube_1.3.3+dfsg.1-1_amd64.buildinfo
Checksums-Sha256:
 4a070a0c68f76447b49201adcfe7c0156f55a8d9f28d06a7faf5932c3531976d 2463 roundcube_1.3.3+dfsg.1-1.dsc
 6d3c9b2a01c900ea14a567f925fc75c87c4fc253403434216fac264d5b22fb35 3026091 roundcube_1.3.3+dfsg.1.orig.tar.gz
 6e0e68089757412577dc5e89ead6f802709b4f1bd66afe48c65f9873b41f89eb 3004724 roundcube_1.3.3+dfsg.1-1.debian.tar.xz
 85d8dce4ab77fef15a3a7fc1dcb928e31439ebd11ca332df067e6898fe37fdae 1760764 roundcube-core_1.3.3+dfsg.1-1_all.deb
 0376f7ed1d3e7ac11aa7071c130d12956f597d6eb751f18ccb10e5de3007283a 75772 roundcube-mysql_1.3.3+dfsg.1-1_all.deb
 b7bdaf7d48fe204ec6fa7ae75d7a7833959e44a75babe34b6303be1d9adb37fe 75748 roundcube-pgsql_1.3.3+dfsg.1-1_all.deb
 3208b78f2c307fd61cc2989cc156e5c46ad60c5369904cc1a0cb3c20f7c419ba 684276 roundcube-plugins_1.3.3+dfsg.1-1_all.deb
 c593cb1e0dbe4681a589ced9e2fc724138788a837bab62a3ddb688d6f7c7b444 75728 roundcube-sqlite3_1.3.3+dfsg.1-1_all.deb
 0b4bfbf67e68f79983453285745956c30a59c2dd20a9cb8dad3ffdc4719a3a3d 1436 roundcube_1.3.3+dfsg.1-1_all.deb
 4532352980d05b3f3fefdf051a472466faf2fd261835ac7ea49dd4979300164c 8727 roundcube_1.3.3+dfsg.1-1_amd64.buildinfo
Files:
 8304c98bf73af0814476885ae3581c19 2463 web optional roundcube_1.3.3+dfsg.1-1.dsc
 da0fa2d7d1aacf16e2933312d881ad78 3026091 web optional roundcube_1.3.3+dfsg.1.orig.tar.gz
 7e0b08e6a7076d766a8ccc2b466cf6bf 3004724 web optional roundcube_1.3.3+dfsg.1-1.debian.tar.xz
 45b77da4cbf8f81cfe9d8ca8f2f57770 1760764 web optional roundcube-core_1.3.3+dfsg.1-1_all.deb
 e626e8b953331342e834b18aede7a81c 75772 web optional roundcube-mysql_1.3.3+dfsg.1-1_all.deb
 376dd516b59d965b293fd01071b8a59f 75748 web optional roundcube-pgsql_1.3.3+dfsg.1-1_all.deb
 aa4998b47c01bebcc3a373db71943694 684276 web optional roundcube-plugins_1.3.3+dfsg.1-1_all.deb
 b24b83084f7c61d5f8e50bb0afaf786d 75728 web optional roundcube-sqlite3_1.3.3+dfsg.1-1_all.deb
 e9084552270610484fbbb100f2f01411 1436 web optional roundcube_1.3.3+dfsg.1-1_all.deb
 8419564ca59fde68efc95c8f975bbd5e 8727 web optional roundcube_1.3.3+dfsg.1-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAloD3RMACgkQ05pJnDwh
pVJiUhAAqAO1GDmKblC2GEsmUO0k2arTkv3LicZnX6Z376xPrJ6OZaYnCjBNlYzW
D9cETrTlDNjw+IUvXXqDkzJ0laRKZntE6HOGBIBEmxm9Z2wcgb/y7pgjHPlz4UQl
uV38N9kJvXGt+P5miqke7TCQS7NGo7JsX5VGGsGELsBEomr3k3gPjxTw+oQeuCi4
53wXyEmC3HWL54vo2Rb5rBM9cL84FnzbwcgQO0/AXTDf2T5l9kKtPfDvS4EBjr/q
eftuLAAJ1M1VIGFq2+pILmeTOAhsNN9mqFHv7pbOkzpbF0atzK1Y2B/ESUQlo19V
GiFCNTA0VFUTX9l+MeTPXeCt1QDqFOROcjMnr1FrbcEna8byx/dmMowqz26SRqGp
AkBqhBLfjYvJBjt4PdBY149ocgrZgH9NqZrxnuDZsmAgbLyX8VW3vzD3NHK8bfzS
EoghDSfsY94/y84lCpzT1N4Ro8SgNFIR5+jCdg4tQ0JGwIuTjJg7TYfqERLY8jFF
FJq0fXD8G9MOjNi78WAaGz0QU21dwSoBWdmHlEbPj9ZnjLNbcjZ2fgLZYb/bQWfj
Fyx8JSrAXTN4iT4KbJcsEBi6Ae7XubptjQdEYlKO3uU8eFkyN+djCcEsEwce6yBq
r4puLnoK+rriQ82THEW8yXszQHRj6AJ3/fYHswiE/C/0hrXF6k4=
=a2uu
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 23 Dec 2017 07:26:19 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 13:49:42 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.