Source: powerline
Version: 1.2-2
Severity: normal
Usertags: timestamps fileordering


While working on the “reproducible builds” effort [1], we have noticed that
powerline could not be built reproducibly and it leaks the users environment
into the resulting binary package when building. 

The environment appears in the file
../usr/share/doc/python-powerline-doc/html/develop/extensions.html which is
generated from powerline/ line 47. Since the environment is
different between different users this makes the package unreproducible. It
might also leak sensitive data the user happens to have in their environment
into the package build.

Maybe the environment dump should be filtered? What is the reason for it being
stored in segment_info in the first place? What is the purpose of storing the
value of $HOME during the package build in the member 'home'?

If these values are important for the operation of the package then they have
to be kept but they should not be included with their values during the package
build in the sphinx documentation.

Cheers, akira


Reproducible-builds mailing list

Reply via email to