Source: cmake
Version: 3.5.2-1
Severity: wishlist
Tags: patch
Usertags: toolchain fileordering


Packages using CMake often use file(GLOB ...) to retrieve a list of
source files [1]. As this is based on readdir(), the resulting file list
is unsorted. A common use case is to pass this list directly to
add_executable or add_library. But as the order is unpredictable, the
binaries are not reproducible (because the order in which the objects
are linked will vary).

The attached patch (already sent upstream) will sort the resulting lists
from file(GLOB ...) and help with building reproducible packages.


diff --git a/debian/patches/series b/debian/patches/series
index e9e2070..af9c632 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
diff --git a/debian/patches/sort_file_globs.patch b/debian/patches/sort_file_globs.patch
new file mode 100644
index 0000000..1bf5155
--- /dev/null
+++ b/debian/patches/sort_file_globs.patch
@@ -0,0 +1,29 @@
+Author: Reiner Herrmann <>
+Description: sort the result of file(GLOB ...) command
+ Many packages pass the file list directly to add_executable / add_library,
+ which will produce an unreproducible binary, as the sources/objects are
+ linked in unpredictable readdir() order.
+--- a/Source/cmFileCommand.cxx
++++ b/Source/cmFileCommand.cxx
+@@ -1028,6 +1028,7 @@
+     std::vector<std::string>::size_type cc;
+     std::vector<std::string>& files = g.GetFiles();
++    std::sort(files.begin(), files.end());
+     for ( cc = 0; cc < files.size(); cc ++ )
+       {
+       if ( !first )
+--- a/Help/command/file.rst
++++ b/Help/command/file.rst
+@@ -103,8 +103,7 @@
+ store it into the ``<variable>``.  Globbing expressions are similar to
+ regular expressions, but much simpler.  If ``RELATIVE`` flag is
+ specified, the results will be returned as relative paths to the given
+-path.  No specific order of results is defined.  If order is important then
+-sort the list explicitly (e.g. using the :command:`list(SORT)` command).
++path.  The file list will be sorted.
+ By default ``GLOB`` lists directories - directories are omited in result if
+ ``LIST_DIRECTORIES`` is set to false.

Attachment: signature.asc
Description: PGP signature

Reproducible-builds mailing list

Reply via email to