Debian Bug report logs - #952762
openstack-pkg-tools: please make the build reproducible

version graph

Package: src:openstack-pkg-tools; Maintainer for src:openstack-pkg-tools is Debian OpenStack <team+openstack@tracker.debian.org>;

Reported by: "Chris Lamb" <lamby@debian.org>

Date: Fri, 28 Feb 2020 18:18:02 UTC

Severity: wishlist

Tags: patch

Found in version openstack-pkg-tools/108

Done: Thomas Goirand <zigo@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#952762; Package src:openstack-pkg-tools. (Fri, 28 Feb 2020 18:18:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>. (Fri, 28 Feb 2020 18:18:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: submit@bugs.debian.org
Subject: openstack-pkg-tools: please make the build reproducible
Date: Fri, 28 Feb 2020 10:15:20 -0800
[Message part 1 (text/plain, inline)]
Source: openstack-pkg-tools
Version: 108
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: toolchain
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Hi,

Whilst working on the Reproducible Builds effort [0] we noticed that
openstack-pkg-tools is causing other packages to be built in an
unreproducible manner.

In particular, the "/usr/bin/pkgos-dh_auto_install" script may nondeterministically create packages with differing shebangs and binary dependencies. For example, this is from src:redfishtool:

│ -#!/usr/bin/python3.7
│ +#!/usr/bin/python3.8

[…]

│ │ │ │ -Depends: python3-requests, python3.8:any, python3:any
│ │ │ │ +Depends: python3-requests, python3.7:any, python3:any

§

This is caused by a number of layered reasons. First, we are building
all supported Python versions (eg. Python 3.7 and Python 3.8) in
separate directories but then seqeuentially installing them to the
same destination, debian/${TARGET_DIR}.

However, this causes problems because if latter installations complete
in less than one second, distutils may decide to skip copying files in
the shared destination as it incorrectly believes them to be up-to-
date. This will result in a package arbitrarily containing scripts
with different version shebangs depending on the approximate total
execution speed of installation. This is, needless to say,
nondeterminstic.

For example, if we build for both Python 3.7 and Python 3.8 but the
installation of the latter occurs within the same wall clock second of
the former, the Python 3.8 version will not overwrite the Python 3.7
verison and lead to a shebang of #!/usr/bin/python3.7 … whilst if it
does not occur within the same second, the shebang will be overwritten
to #!/usr/bin/python3.8.

A patch is attached that passes --force to `setup.py install [..]`
which will avoid the underlying calls to distutils's `dep_util.newer`
and thus will always update.

  [0] https://reproducible-builds.org/


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[openstack-pkg-tools.diff.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#952762; Package src:openstack-pkg-tools. (Sat, 29 Feb 2020 00:45:02 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>. (Sat, 29 Feb 2020 00:45:03 GMT) (full text, mbox, link).

Message #10 received at 952762@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: Chris Lamb <lamby@debian.org>, 952762@bugs.debian.org
Subject: Re: Bug#952762: openstack-pkg-tools: please make the build reproducible
Date: Sat, 29 Feb 2020 01:41:33 +0100
On 2/28/20 7:15 PM, Chris Lamb wrote:
> Source: openstack-pkg-tools
> Version: 108
> Severity: wishlist
> Tags: patch
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: toolchain
> X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
> 
> Hi,
> 
> Whilst working on the Reproducible Builds effort [0] we noticed that
> openstack-pkg-tools is causing other packages to be built in an
> unreproducible manner.
> 
> In particular, the "/usr/bin/pkgos-dh_auto_install" script may nondeterministically create packages with differing shebangs and binary dependencies. For example, this is from src:redfishtool:
> 
> │ -#!/usr/bin/python3.7
> │ +#!/usr/bin/python3.8
> 
> […]
> 
> │ │ │ │ -Depends: python3-requests, python3.8:any, python3:any
> │ │ │ │ +Depends: python3-requests, python3.7:any, python3:any
> 
> §
> 
> This is caused by a number of layered reasons. First, we are building
> all supported Python versions (eg. Python 3.7 and Python 3.8) in
> separate directories but then seqeuentially installing them to the
> same destination, debian/${TARGET_DIR}.
> 
> However, this causes problems because if latter installations complete
> in less than one second, distutils may decide to skip copying files in
> the shared destination as it incorrectly believes them to be up-to-
> date. This will result in a package arbitrarily containing scripts
> with different version shebangs depending on the approximate total
> execution speed of installation. This is, needless to say,
> nondeterminstic.
> 
> For example, if we build for both Python 3.7 and Python 3.8 but the
> installation of the latter occurs within the same wall clock second of
> the former, the Python 3.8 version will not overwrite the Python 3.7
> verison and lead to a shebang of #!/usr/bin/python3.7 … whilst if it
> does not occur within the same second, the shebang will be overwritten
> to #!/usr/bin/python3.8.
> 
> A patch is attached that passes --force to `setup.py install [..]`
> which will avoid the underlying calls to distutils's `dep_util.newer`
> and thus will always update.
> 
>   [0] https://reproducible-builds.org/
> 
> 
> Regards,

Hi Chris!

This is very nice, but in fact, having python3.8 or python3.7, can be
considered as a bug in the packages I maintain. Indeed, what it means is
that the package is missing:

override_dh_python3:
        dh_python3 --shebang=/usr/bin/python3

Without this, the package incorrectly will have python3.x as dependency
instead of python3:any.

Do I understand well that you saw this in redfishtool? In such case,
that's where the bug should be filled, IMO.

Your thoughts?
Cheers,

Thomas Goirand (zigo)

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#952762; Package src:openstack-pkg-tools. (Sun, 01 Mar 2020 02:00:02 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>. (Sun, 01 Mar 2020 02:00:02 GMT) (full text, mbox, link).

Message #15 received at 952762@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: "Thomas Goirand" <zigo@debian.org>, 952762@bugs.debian.org
Subject: Re: Bug#952762: openstack-pkg-tools: please make the build reproducible
Date: Sun, 01 Mar 2020 01:57:03 -0000
Hi Thomas,

 > Do I understand well that you saw this in redfishtool? In such case,
> that's where the bug should be filled, IMO.

I think have two issues here. This one (ie. the timing problem) in
openstack-pkg-tools is still something that should be fixed,
regardless of what other packages do IMHO.

> This is very nice, but in fact, having python3.8 or python3.7, can be
> considered as a bug in the packages I maintain. Indeed, what it means is
> that the package is missing:
> 
> override_dh_python3:
>         dh_python3 --shebang=/usr/bin/python3

This sounds logical. However, would this not be better fixed centrally
for *all* packages that use /usr/share/openstack-pkg-tools/pkgos.make
rather than add the following snippet to redfishtool? I don't see this
package doing anything particularly special, and making this change in
every leaf package doesn't seem very elegant to me.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#952762; Package src:openstack-pkg-tools. (Mon, 02 Mar 2020 14:06:03 GMT) (full text, mbox, link).

Acknowledgement sent to Thomas Goirand <zigo@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>. (Mon, 02 Mar 2020 14:06:03 GMT) (full text, mbox, link).

Message #20 received at 952762@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: Chris Lamb <lamby@debian.org>, 952762@bugs.debian.org
Subject: Re: Bug#952762: openstack-pkg-tools: please make the build reproducible
Date: Mon, 2 Mar 2020 15:04:16 +0100
On 3/1/20 2:57 AM, Chris Lamb wrote:
> Hi Thomas,
> 
>  > Do I understand well that you saw this in redfishtool? In such case,
>> that's where the bug should be filled, IMO.
> 
> I think have two issues here. This one (ie. the timing problem) in
> openstack-pkg-tools is still something that should be fixed,
> regardless of what other packages do IMHO.
> 
>> This is very nice, but in fact, having python3.8 or python3.7, can be
>> considered as a bug in the packages I maintain. Indeed, what it means is
>> that the package is missing:
>>
>> override_dh_python3:
>>         dh_python3 --shebang=/usr/bin/python3
> 
> This sounds logical. However, would this not be better fixed centrally
> for *all* packages that use /usr/share/openstack-pkg-tools/pkgos.make
> rather than add the following snippet to redfishtool? I don't see this
> package doing anything particularly special, and making this change in
> every leaf package doesn't seem very elegant to me.
> 
> 
> Regards,

The problem is, some package may need to customize dh_python3 calls even
further. For example:

override_dh_python3:
    dh_python3 --shebang=/usr/bin/python3
    dh_python3 /usr/share/foo

if there's some Python files in /usr/share/foo

So there's no "one fit all" solution. Or do you have a suggestion here?

Cheers,

Thomas Goirand (zigo)

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OpenStack <team+openstack@tracker.debian.org>:
Bug#952762; Package src:openstack-pkg-tools. (Tue, 03 Mar 2020 02:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to "Chris Lamb" <lamby@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenStack <team+openstack@tracker.debian.org>. (Tue, 03 Mar 2020 02:00:04 GMT) (full text, mbox, link).

Message #25 received at 952762@bugs.debian.org (full text, mbox, reply):

From: "Chris Lamb" <lamby@debian.org>
To: "Thomas Goirand" <zigo@debian.org>, 952762@bugs.debian.org
Subject: Re: Bug#952762: openstack-pkg-tools: please make the build reproducible
Date: Tue, 03 Mar 2020 01:57:06 -0000
Hi Thomas,

> The problem is, some package may need to customize dh_python3 calls even
> further. For example:
> 
> override_dh_python3:
>     dh_python3 --shebang=/usr/bin/python3
>     dh_python3 /usr/share/foo
> 
> if there's some Python files in /usr/share/foo
> 
> So there's no "one fit all" solution.

May I suggest we keep this bug (ie. #952762) strictly on the non-
determistic nature of the utility methods in openstack-pkg-tools which
exist regardless of the above difficulties. These are two highly
related yet separate issues at work here and I would not feel
comfortable if they got lost, confused with or got blocked by each
other.

Unfortunately, I'm not familar with the ramifications on your quoted
code so I'll have to leave any suggestions on the above to yourself
and/or anybody else involved in maintaining OpenStack in any case.
Thanks for understanding.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org 🍥 chris-lamb.co.uk
       `-

Reply sent to Thomas Goirand <zigo@debian.org>:
You have taken responsibility. (Mon, 11 May 2020 07:57:03 GMT) (full text, mbox, link).

Notification sent to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer. (Mon, 11 May 2020 07:57:03 GMT) (full text, mbox, link).

Message #30 received at 952762-done@bugs.debian.org (full text, mbox, reply):

From: Thomas Goirand <zigo@debian.org>
To: 952762-done@bugs.debian.org
Subject: Closing
Date: Mon, 11 May 2020 09:53:42 +0200
Hi Chris,

I insist: the bug is in each individual package not setting-up the
shebang as they should, it's not in openstack-pkg-tools. I don't feel
like fixing the issue here will make things better, quite the opposite:
instead of finding the issue in the reproducible build, your proposal
will hide it here, keeping the problem active and detected, which gives
a chance to fix the package.

The consequence of having the wrong shebang (ie: a specific version of
python rather than the generic python3) means it's going to be a pain
for those managing the Python 3 transitions: the package who has the
wrong shebang needs to be rebuilt. This *must* be fixed.

Cheers,

Thomas Goirand (zigo)

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 09 Jun 2020 07:31:29 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 12:16:54 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.