Bug#1037277:

[James Addison]

severity -1 wishlist
thanks

Dear Maintainer,

Because Debian builds packages from a fixed build path, neither the 'reprotest'
utility in Salsa-CI, nor the Reproducible Builds team's package test
infrastructure for Debian[1] currently check for equivalent binary package
output from differing source package build paths.

This means that your package will pass current reproducibility tests; however
we believe that source code and/or build steps still embed the build path into
the binary package output, making it more difficult than necessary for
independent consumers to check the integrity of binary packages by recompiling
them themselves.

As a result, this bugreport will remain open and be re-assigned the 'wishlist'
severity[2].

For more information about build paths and how they can affect reproducibility,
please refer to: https://reproducible-builds.org/docs/build-path/

Thanks,
James

[1] - https://tests.reproducible-builds.org/debian/reproducible.html

[2] - https://www.debian.org/Bugs/Developer#severities

Bug#1037277: advi: reproducible-builds: Embedded build path and usrmerge paths in example Makefile

[Vagrant Cascadian]

Source: advi
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: buildpath usrmerge
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

The build path and various binary paths are embedded in
/usr/share/doc/advi/manual/pngs/Makefile.gz:

  
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/advi.html

  ACLOCAL·=·${SHELL}·/build/1st/advi-1.10.2/missing·--run·aclocal-1.11
  vs.
  ACLOCAL·=·${SHELL}·/build/2/advi-1.10.2/2nd/missing·--run·aclocal-1.11

  EGREP·=·/bin/grep·-E  
  vs.
  EGREP·=·/usr/bin/grep·-E

The attached patch fixes this by removing the example Makefile, which
would have to be regenerated anyways to match the running system.

If removing the example Makefile is not viable, it might be possible to
sanitize the build paths, and add relevent arguments to configure
(e.g. EGREP='/bin/grep -e') to use the specified paths.

According to my local tests, with this patch applied advi should build
reproducibly on tests.reproducible-builds.org!

Thanks for maintaining advi!

live well,
  vagrant
From 74e3aa7add59ff6b73ff7aec20c6963244bc275d Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian 
Date: Fri, 9 Jun 2023 19:40:34 -0700
Subject: [PATCH] debian/rules: Remove example Makefile in dh_install override.

This Makefile embeds the build path and binary paths of the build
environment, and would need to be regenerated to actually use.

https://reproducible-builds.org/docs/build-path/
https://tests.reproducible-builds.org/debian/issues/unstable/paths_vary_due_to_usrmerge_issue.html
---
 debian/rules | 5 +
 1 file changed, 5 insertions(+)

diff --git a/debian/rules b/debian/rules
index ca3a02c..2c8c922 100755
--- a/debian/rules
+++ b/debian/rules
@@ -30,6 +30,11 @@ endif
 override_dh_compress:
 	dh_compress --exclude=usr/share/doc/advi/splash.dvi
 
+override_dh_install:
+	dh_install
+	# Remove example Makefile with build paths and binary paths
+	rm -vf debian/advi/usr/share/doc/advi/manual/pngs/Makefile
+
 override_dh_auto_test:
 
 override_dh_autoreconf:
-- 
2.39.2



signature.asc
Description: PGP signature