On 2/28/20 7:15 PM, Chris Lamb wrote:
> Source: openstack-pkg-tools
> Version: 108
> Severity: wishlist
> Tags: patch
> User: reproducible-bui...@lists.alioth.debian.org
> Usertags: toolchain
> X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
>
> Hi,
>
> Whilst working on the Reproducible Builds effort [0] we noticed that
> openstack-pkg-tools is causing other packages to be built in an
> unreproducible manner.
>
> In particular, the "/usr/bin/pkgos-dh_auto_install" script may
> nondeterministically create packages with differing shebangs and binary
> dependencies. For example, this is from src:redfishtool:
>
> │ -#!/usr/bin/python3.7
> │ +#!/usr/bin/python3.8
>
> […]
>
> │ │ │ │ -Depends: python3-requests, python3.8:any, python3:any
> │ │ │ │ +Depends: python3-requests, python3.7:any, python3:any
>
> §
>
> This is caused by a number of layered reasons. First, we are building
> all supported Python versions (eg. Python 3.7 and Python 3.8) in
> separate directories but then seqeuentially installing them to the
> same destination, debian/${TARGET_DIR}.
>
> However, this causes problems because if latter installations complete
> in less than one second, distutils may decide to skip copying files in
> the shared destination as it incorrectly believes them to be up-to-
> date. This will result in a package arbitrarily containing scripts
> with different version shebangs depending on the approximate total
> execution speed of installation. This is, needless to say,
> nondeterminstic.
>
> For example, if we build for both Python 3.7 and Python 3.8 but the
> installation of the latter occurs within the same wall clock second of
> the former, the Python 3.8 version will not overwrite the Python 3.7
> verison and lead to a shebang of #!/usr/bin/python3.7 … whilst if it
> does not occur within the same second, the shebang will be overwritten
> to #!/usr/bin/python3.8.
>
> A patch is attached that passes --force to `setup.py install [..]`
> which will avoid the underlying calls to distutils's `dep_util.newer`
> and thus will always update.
>
> [0] https://reproducible-builds.org/
>
>
> Regards,
Hi Chris!
This is very nice, but in fact, having python3.8 or python3.7, can be
considered as a bug in the packages I maintain. Indeed, what it means is
that the package is missing:
override_dh_python3:
dh_python3 --shebang=/usr/bin/python3
Without this, the package incorrectly will have python3.x as dependency
instead of python3:any.
Do I understand well that you saw this in redfishtool? In such case,
that's where the bug should be filled, IMO.
Your thoughts?
Cheers,
Thomas Goirand (zigo)
