Debian Bug report logs - #992722
nbdkit: non-reproducible build: CFLAGS are recorded in built binary

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: nbdkit: non-reproducible build: CFLAGS are recorded in built binary

Date: Sun, 22 Aug 2021 18:17:45 +0100

Source: nbdkit
Version: 1.26.5-1
Severity: normal
Tags: patch
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
User: reproducible-builds@lists.alioth.debian.org
Usertags: buildpath

The C compiler plugin nbdkit-cc-plugin.so in the nbdkit package records
the CFLAGS that it was built with, presumably so that it can pass them on
to objects that it is used to compile.

Unfortunately, the default CFLAGS from dpkg-buildflags include the build
path, which means this prevents the build from being reproducible (a
Policy §4.15 "should"). From a diffoscope comparison between two
consecutive builds using sbuild, for example:

│ │ │ ├── ./usr/lib/x86_64-linux-gnu/nbdkit/plugins/nbdkit-cc-plugin.so
...
│ │ │ │ ├── strings --all --bytes=8 {}
...
│ │ │ │ │ --g -O2 -ffile-prefix-map=/build/nbdkit-arafYk/nbdkit-1.26.5=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -shared
│ │ │ │ │ +-g -O2 -ffile-prefix-map=/build/nbdkit-icZkey/nbdkit-1.26.5=. -fstack-protector-strong -Wformat -Werror=format-security -fPIC -shared

After fixing #992702, this seems like it might be the only source of
non-reproducibility in the package, so if you're willing to apply a
(probably Debian-specific) patch to avoid it, the package is likely to
become fully reproducible. Please see attached for a possible implementation.

Alternatively, if the CFLAGS from building nbdkit itself are not actually
needed when building third-party code using the cc plugin, then it might
be OK to just pass -DCFLAGS="\"-fPIC -shared\"" and omit $(CFLAGS) altogether?
But I don't know this package (I don't use it myself) so there might be
a reason I'm unaware of why that would be undesirable.

See also #985553, which would avoid the need to apply this patch if
implemented.

Thanks,
    smcv

Message #10 received at 992722@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 992722@bugs.debian.org

Subject: Re: Bug#992722: nbdkit: non-reproducible build: CFLAGS are recorded in built binary

Date: Mon, 23 Aug 2021 09:58:38 +0100

[Message part 1 (text/plain, inline)]

Control: severity -1 minor

On Sun, 22 Aug 2021 at 18:17:45 +0100, Simon McVittie wrote:
> Unfortunately, the default CFLAGS from dpkg-buildflags include the build
> path, which means this prevents the build from being reproducible (a
> Policy §4.15 "should").

Lowering severity to minor because varying the build path is specifically
called out in Policy as something that is a lower priority for
reproducibility.

> After fixing #992702, this seems like it might be the only source of
> non-reproducibility in the package, so if you're willing to apply a
> (probably Debian-specific) patch to avoid it, the package is likely to
> become fully reproducible. Please see attached for a possible implementation.

Sorry, patch really attached now.

    smcv

[0001-cc-plugin-Filter-out-ffile-prefix-map-etc.-from-CFLA.patch (text/x-diff, attachment)]

Message #17 received at 992722-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 992722-close@bugs.debian.org

Subject: Bug#992722: fixed in nbdkit 1.26.6-1

Date: Mon, 25 Oct 2021 17:49:16 +0000

Source: nbdkit
Source-Version: 1.26.6-1
Done: Hilko Bengen <bengen@debian.org>

We believe that the bug you reported is fixed in the latest version of
nbdkit, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 992722@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated nbdkit package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 27 Sep 2021 13:40:05 +0200
Source: nbdkit
Architecture: source
Version: 1.26.6-1
Distribution: unstable
Urgency: medium
Maintainer: Hilko Bengen <bengen@debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Closes: 992702 992722
Changes:
 nbdkit (1.26.6-1) unstable; urgency=medium
 .
   [ Simon McVittie ]
   * d/rules: Specify canonical path to mke2fs (Closes: #992702)
 .
   [ Hilko Bengen ]
   * Add patch to filter out build path from cc plugin (Closes: #992722)
   * New upstream version 1.26.6
Checksums-Sha1:
 8f258202207a3bcf628837f39ee8c7b1b514b6cf 3215 nbdkit_1.26.6-1.dsc
 ac2b7773a21edf3a8f139f018be8c8f6c3fd2434 2172775 nbdkit_1.26.6.orig.tar.gz
 2ba594153c0849515309b600d5716c85d5d633a5 11188 nbdkit_1.26.6-1.debian.tar.xz
 93cf6457a2f63fedaa08537731e6063d914b47ee 15965 nbdkit_1.26.6-1_source.buildinfo
Checksums-Sha256:
 e17b190b13631c2745e341f62e7367c6b0d1b8693e48cc96c6bce842490683ec 3215 nbdkit_1.26.6-1.dsc
 1b2a9d30bbc2186a6a296cc91dea0d6d4c8fc30c498a2676a52213eb3fadb18f 2172775 nbdkit_1.26.6.orig.tar.gz
 9980c35cae5f5f8574b6454e54ff1c8a2959ea2d7797fc69180de1f72598a978 11188 nbdkit_1.26.6-1.debian.tar.xz
 be37380ad1a9af1f1b4c0c2268988b1b1812d85ce596bc16fe83ce36c21639f6 15965 nbdkit_1.26.6-1_source.buildinfo
Files:
 18423e975e60e0b6b1575fb5fe4e7589 3215 admin optional nbdkit_1.26.6-1.dsc
 c96d0231172564104fca565d93e742e8 2172775 admin optional nbdkit_1.26.6.orig.tar.gz
 7a3824fdaf1fc5df1b7d9e3c44237844 11188 admin optional nbdkit_1.26.6-1.debian.tar.xz
 8678f20ea17870e2a7504eaf1925adba 15965 admin optional nbdkit_1.26.6-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErnMQVUQqHZbPTUx4dbcQY1whOn4FAmFRrk4ACgkQdbcQY1wh
On5qkBAAja85HYbgriw3e5TEueN/ZRK1THkKAA3rPZAKycrTgPRMxxD78vGUFL8e
dyyw8ZhxggTxVAFmWLEc0EwqtnRsGms02IwQTc76Zhy6cc64zQH0NcoDMX8E9wB/
t+nR77yL5D+cU+P/rty7/iKhd5qd/CLgrOAuqBuX/FP6au2qtoE67ISV+fBhuwhY
Gcoz8KErgriL8Dx7N5iPy+moEecLROP8/UrFQnLP2FMTCOoGN+HovzEI3tugelpP
lYKDEJwAaehZ4h3+NIbBfklc8AIRs0thkqkg0u4lMTyMsb5kORwHJawabvKVLX46
USGANuFYbNQli+TfpYtkkZN72SkYDveh7LUhEoHmkqFdAsT48BXAsVgOJS983AGp
hsqMIlTtykq5sitSStlWhdHiHb/wIXGJOaVHedw8k9v5HU3uGPKhI9OiNrMJ8W8w
DgE65f79tUBGBy/sKiFH2Vqex+8CMb68x9lcNKhbS2mSBxxC3Jf+krlV27Vwadh9
whAsUaslZrh4IpaLbnbBTJAS7Bd9jebN36wm9mAgYNkAmnqscjWQuO8lUPzHSZGT
vQS3y/MGVX4/d+4Mdmm4eXoeaPpYkzK0KtUYworG54rdjmTiKfyKwm9AlxJ7vq1U
lpQh+a/tuwz9wKJlPWzD6Uoses8Wn5pFVGX18k3XAMfgHCsGG/0=
=dyyG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.