Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
On 2021-10-03, Vagrant Cascadian wrote: > On 2021-08-26, Sebastian Ramacher wrote: >> On 2021-08-25 10:08:07 -0700, Vagrant Cascadian wrote: >>> On 2021-08-25, Sebastian Ramacher wrote: >>> > On 2021-06-23 13:16:47, Vagrant Cascadian wrote: >>> >> The build username and build system hostname are embedded in binaries >>> >> shipped in vlc: ... >> A package version doesn't tell me if it's the same version but built by >> Debian, built by Ubuntu, built by Devuan, etc. And given that we receive >> bug reports from downstream distributions also in the Debian BTS, that's >> something I want to know when triaging those reports. >> >> I'd be fine if that says for example, $DIST $ARCH buildd. That would >> only leave custom built debs. > > Attached is a patch that was merged upstream, allowing overriding > VLC_COMPILE_BY and VLC_COMPILE_HOST from configure. > > The second patch modifies Debian rules to pass information about the > build host (DEB_VENDOR, DEB_HOST_ARCH, DEB_HOST_GNU_TYPE) via > VLC_COMPILE_BY and VLC_COMPILE_HOST passed to configure. > > Hopefully this is sufficient to address the concerns of uniquely > identifying a build... Promised patches attached, really. :) live well, vagrant From eb977a8054db3b7ff665687dfc81647f2fc76943 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Sun, 3 Oct 2021 23:21:41 -0700 Subject: [PATCH 1/2] debian/patches: Allow passing VLC_COMPILE_BY and VLC_COMPILE_HOST to configure. --- ...ow-passing-VLC_COMPILE_BY-and-VLC_CO.patch | 42 +++ debian/patches/series | 1 + 2 files changed, 43 insertions(+) create mode 100644 debian/patches/0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch diff --git a/debian/patches/0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch b/debian/patches/0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch new file mode 100644 index 00..32479abfeb --- /dev/null +++ b/debian/patches/0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch @@ -0,0 +1,42 @@ +From: Vagrant Cascadian +Date: Wed, 29 Sep 2021 23:18:26 + +Subject: [PATCH] configure.ac: Allow passing VLC_COMPILE_BY and + VLC_COMPILE_HOST. +Origin: https://code.videolan.org/videolan/vlc/-/commit/9e7ed0247dd298fe8597431ae0738882e734011b +Bug: https://code.videolan.org/videolan/vlc/-/issues/26035 +Bug-Debian: https://bugs.debian.org/990246 + +This allows passing a specific value instead of inheriting these +values from the build environment. + +Fixes #26035 + +Backported from upstream commit 9e7ed0247dd298fe8597431ae0738882e734011b +--- + configure.ac | 10 -- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 7db5256a84..614edbc461 100644 +--- a/configure.ac b/configure.ac +@@ -4324,8 +4324,14 @@ AC_SUBST(VERSION_MINOR) + AC_SUBST(VERSION_REVISION) + AC_SUBST(VERSION_EXTRA) + AC_SUBST(COPYRIGHT_YEARS) +-AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\/g'`", [user who ran configure]) +-AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || hostname`", [host which ran configure]) ++if [ -z "$VLC_COMPILE_BY" ]; then ++ VLC_COMPILE_BY=`whoami|sed -e 's/\\\/\\\/g'` ++fi ++AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "$VLC_COMPILE_BY", [user who ran configure]) ++if [ -z "$VLC_COMPILE_HOST" ]; then ++ VLC_COMPILE_HOST=`hostname -f 2>/dev/null || hostname` ++fi ++AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "$VLC_COMPILE_HOST", [host which ran configure]) + AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ *$//'`", [compiler]) + dnl + dnl Handle substvars that use $(top_srcdir) +-- +2.30.2 + diff --git a/debian/patches/series b/debian/patches/series index 4ac56b9c17..c263fa5c89 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ 0001-configure-fix-linking-on-RISC-V-ISA.patch 0002-Revert-configure-Require-libmodplug-0.8.9.patch 0003-Do-not-generate-cache-during-build.patch +0004-configure.ac-Allow-passing-VLC_COMPILE_BY-and-VLC_CO.patch -- 2.30.2 From c2eb314b786afef88a225bbfb39f6ceeed85638a Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Wed, 29 Sep 2021 23:13:07 + Subject: [PATCH 2/2] debian/rules: Pass VLC_COMPILE_HOST and VLC_COMPILE_BY to configure. (Closes: #990246) --- debian/rules | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/rules b/debian/rules index 92ec896223..b43e06ec1b 100755 --- a/debian/rules +++ b/debian/rules @@ -254,6 +254,9 @@ confflags += --disable-altivec removeplugins += altivec endif +confflags += VLC_COMPILE_HOST=$(DEB_VENDOR)-$(DEB_HOST_ARCH)-$(DEB_HOST_GNU_TYPE) +confflags += VLC_COMPILE_BY=$(DEB_VENDOR) + # PowerPCSPE specific optimizations ifeq (,$(filter-out powerpcspe,$(DEB_HOST_ARCH))) DEB_CFLAGS_MAINT_APPEND += -mtune=8548 -- 2.30.2 signature.asc Description: PGP signature
Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Control: tags 990246 +patch On 2021-08-26, Sebastian Ramacher wrote: > On 2021-08-25 10:08:07 -0700, Vagrant Cascadian wrote: >> On 2021-08-25, Sebastian Ramacher wrote: >> > On 2021-06-23 13:16:47, Vagrant Cascadian wrote: >> >> The build username and build system hostname are embedded in binaries >> >> shipped in vlc: >> >> >> >> >> >> https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html >> >> >> >> ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 >> >> >> >> pbuilder1 >> >> vs. >> >> pbuilder2 >> >> >> >> ionos11-amd64 >> >> vs. >> >> i-capture-the-hostname >> >> >> >> The attached patch fixes this by setting VLC_COMPILE_BY and >> >> VLC_COMPILE_HOST to empty values in configure.ac. >> > >> > NACK. This information is part of the logs that are usually requested >> > from users by upstream. We want to have this information included in the >> > log so that upstream can easily identify where the logs are coming from >> > and what they are using. And for that purpose, a self-built deb or one >> > from a downstream distribution is different from the Debian one. >> >> The username and hostname of the build seems a rather imprecise way to >> find out information about the origin of the build... >> >> In the context of Debian, a given package+version has specific build >> logs associated with it findable at https://buildd.debian.org/PACKAGE > > A package version doesn't tell me if it's the same version but built by > Debian, built by Ubuntu, built by Devuan, etc. And given that we receive > bug reports from downstream distributions also in the Debian BTS, that's > something I want to know when triaging those reports. > > I'd be fine if that says for example, $DIST $ARCH buildd. That would > only leave custom built debs. Attached is a patch that was merged upstream, allowing overriding VLC_COMPILE_BY and VLC_COMPILE_HOST from configure. The second patch modifies Debian rules to pass information about the build host (DEB_VENDOR, DEB_HOST_ARCH, DEB_HOST_GNU_TYPE) via VLC_COMPILE_BY and VLC_COMPILE_HOST passed to configure. Hopefully this is sufficient to address the concerns of uniquely identifying a build... Thanks for considering! live well, vagrant signature.asc Description: PGP signature
Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Sorry for my super-clever MUA adding line breaks on its own.
Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Control: forwarded 990246 https://code.videolan.org/videolan/vlc/-/issues/26035 Am 26.08.2021 04:59, schrieb Vagrant Cascadian: Control: forwarded 990246 https://savannah.gnu.org/support/index.php?110532
Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Control: forwarded -1 https://code.videolan.org/videolan/vlc/-/issues/26035 Am 26.08.2021 04:59, schrieb Vagrant Cascadian: Control: forwarded 990246 https://savannah.gnu.org/support/index.php?110532
Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
On 2021-08-25 10:08:07 -0700, Vagrant Cascadian wrote: > On 2021-08-25, Sebastian Ramacher wrote: > > On 2021-06-23 13:16:47, Vagrant Cascadian wrote: > >> The build username and build system hostname are embedded in binaries > >> shipped in vlc: > >> > >> > >> https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html > >> > >> ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 > >> > >> pbuilder1 > >> vs. > >> pbuilder2 > >> > >> ionos11-amd64 > >> vs. > >> i-capture-the-hostname > >> > >> The attached patch fixes this by setting VLC_COMPILE_BY and > >> VLC_COMPILE_HOST to empty values in configure.ac. > > > > NACK. This information is part of the logs that are usually requested > > from users by upstream. We want to have this information included in the > > log so that upstream can easily identify where the logs are coming from > > and what they are using. And for that purpose, a self-built deb or one > > from a downstream distribution is different from the Debian one. > > The username and hostname of the build seems a rather imprecise way to > find out information about the origin of the build... > > In the context of Debian, a given package+version has specific build > logs associated with it findable at https://buildd.debian.org/PACKAGE A package version doesn't tell me if it's the same version but built by Debian, built by Ubuntu, built by Devuan, etc. And given that we receive bug reports from downstream distributions also in the Debian BTS, that's something I want to know when triaging those reports. I'd be fine if that says for example, $DIST $ARCH buildd. That would only leave custom built debs. Cheers > > I would expect downstream projects to have something similar > (e.g. ubuntu). > > Obviously that wouldn't help for a self-built deb, but I would think the > person who built the deb would already have that information (and > ideally share that information with upstream)... > > Thanks for considering. Perhaps it will be best to take this upstream at > this point, anyways... > > > live well, > vagrant > > > >> This patch does not address all reproducibility issues in vlc > >> (e.g. build paths), though applying it reduces the diff for the > >> remaining issues. > >> > >> > >> Thanks for maintaining vlc! > >> > >> > >> live well, > >> vagrant > > > >> From 01e2dcc51b31f1a06bcd07faa0ae3fbd0ddbe9c6 Mon Sep 17 00:00:00 2001 > >> From: Vagrant Cascadian > >> Date: Wed, 23 Jun 2021 19:33:47 + > >> Subject: [PATCH 1/3] Disable embedding the build hostname and username in > >> the > >> binaries. > >> > >> https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html > >> --- > >> configure.ac | 4 ++-- > >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> > >> diff --git a/configure.ac b/configure.ac > >> index 7db5256a8..5d6324cf9 100644 > >> --- a/configure.ac > >> +++ b/configure.ac > >> @@ -4324,8 +4324,8 @@ AC_SUBST(VERSION_MINOR) > >> AC_SUBST(VERSION_REVISION) > >> AC_SUBST(VERSION_EXTRA) > >> AC_SUBST(COPYRIGHT_YEARS) > >> -AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\/g'`", > >> [user who ran configure]) > >> -AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || > >> hostname`", [host which ran configure]) > >> +AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "", [user who ran configure]) > >> +AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "", [host which ran configure]) > >> AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ > >> *$//'`", [compiler]) > >> dnl > >> dnl Handle substvars that use $(top_srcdir) > >> -- > >> 2.32.0 -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Control: forwarded 990246 https://savannah.gnu.org/support/index.php?110532 On 2021-08-25, Vagrant Cascadian wrote: > On 2021-08-25, Sebastian Ramacher wrote: >> On 2021-06-23 13:16:47, Vagrant Cascadian wrote: >>> The build username and build system hostname are embedded in binaries >>> shipped in vlc: >>> >>> >>> https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html ... > Thanks for considering. Perhaps it will be best to take this upstream at > this point, anyways... https://savannah.gnu.org/support/index.php?110532 Will see what upstream has to say... live well, vagrant signature.asc Description: PGP signature
Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
On 2021-08-25, Sebastian Ramacher wrote: > On 2021-06-23 13:16:47, Vagrant Cascadian wrote: >> The build username and build system hostname are embedded in binaries >> shipped in vlc: >> >> >> https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html >> >> ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 >> >> pbuilder1 >> vs. >> pbuilder2 >> >> ionos11-amd64 >> vs. >> i-capture-the-hostname >> >> The attached patch fixes this by setting VLC_COMPILE_BY and >> VLC_COMPILE_HOST to empty values in configure.ac. > > NACK. This information is part of the logs that are usually requested > from users by upstream. We want to have this information included in the > log so that upstream can easily identify where the logs are coming from > and what they are using. And for that purpose, a self-built deb or one > from a downstream distribution is different from the Debian one. The username and hostname of the build seems a rather imprecise way to find out information about the origin of the build... In the context of Debian, a given package+version has specific build logs associated with it findable at https://buildd.debian.org/PACKAGE I would expect downstream projects to have something similar (e.g. ubuntu). Obviously that wouldn't help for a self-built deb, but I would think the person who built the deb would already have that information (and ideally share that information with upstream)... Thanks for considering. Perhaps it will be best to take this upstream at this point, anyways... live well, vagrant >> This patch does not address all reproducibility issues in vlc >> (e.g. build paths), though applying it reduces the diff for the >> remaining issues. >> >> >> Thanks for maintaining vlc! >> >> >> live well, >> vagrant > >> From 01e2dcc51b31f1a06bcd07faa0ae3fbd0ddbe9c6 Mon Sep 17 00:00:00 2001 >> From: Vagrant Cascadian >> Date: Wed, 23 Jun 2021 19:33:47 + >> Subject: [PATCH 1/3] Disable embedding the build hostname and username in the >> binaries. >> >> https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html >> --- >> configure.ac | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/configure.ac b/configure.ac >> index 7db5256a8..5d6324cf9 100644 >> --- a/configure.ac >> +++ b/configure.ac >> @@ -4324,8 +4324,8 @@ AC_SUBST(VERSION_MINOR) >> AC_SUBST(VERSION_REVISION) >> AC_SUBST(VERSION_EXTRA) >> AC_SUBST(COPYRIGHT_YEARS) >> -AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\/g'`", >> [user who ran configure]) >> -AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || >> hostname`", [host which ran configure]) >> +AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "", [user who ran configure]) >> +AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "", [host which ran configure]) >> AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ >> *$//'`", [compiler]) >> dnl >> dnl Handle substvars that use $(top_srcdir) >> -- >> 2.32.0 signature.asc Description: PGP signature
Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Control: tags -1 - patch On 2021-06-23 13:16:47, Vagrant Cascadian wrote: > Source: vlc > Severity: normal > Tags: patch > User: reproducible-bui...@lists.alioth.debian.org > Usertags: username hostname > X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org > > The build username and build system hostname are embedded in binaries > shipped in vlc: > > > https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html > > ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 > > pbuilder1 > vs. > pbuilder2 > > ionos11-amd64 > vs. > i-capture-the-hostname > > The attached patch fixes this by setting VLC_COMPILE_BY and > VLC_COMPILE_HOST to empty values in configure.ac. NACK. This information is part of the logs that are usually requested from users by upstream. We want to have this information included in the log so that upstream can easily identify where the logs are coming from and what they are using. And for that purpose, a self-built deb or one from a downstream distribution is different from the Debian one. Cheers > > > This patch does not address all reproducibility issues in vlc > (e.g. build paths), though applying it reduces the diff for the > remaining issues. > > > Thanks for maintaining vlc! > > > live well, > vagrant > From 01e2dcc51b31f1a06bcd07faa0ae3fbd0ddbe9c6 Mon Sep 17 00:00:00 2001 > From: Vagrant Cascadian > Date: Wed, 23 Jun 2021 19:33:47 + > Subject: [PATCH 1/3] Disable embedding the build hostname and username in the > binaries. > > https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html > --- > configure.ac | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/configure.ac b/configure.ac > index 7db5256a8..5d6324cf9 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -4324,8 +4324,8 @@ AC_SUBST(VERSION_MINOR) > AC_SUBST(VERSION_REVISION) > AC_SUBST(VERSION_EXTRA) > AC_SUBST(COPYRIGHT_YEARS) > -AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\/g'`", > [user who ran configure]) > -AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || > hostname`", [host which ran configure]) > +AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "", [user who ran configure]) > +AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "", [host which ran configure]) > AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ > *$//'`", [compiler]) > dnl > dnl Handle substvars that use $(top_srcdir) > -- > 2.32.0 > -- Sebastian Ramacher
Bug#990246: vlc: reproducible builds: Embeds build username and hostname in binaries
Source: vlc Severity: normal Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: username hostname X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org The build username and build system hostname are embedded in binaries shipped in vlc: https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/vlc.html ./usr/lib/x86_64-linux-gnu/libvlccore.so.9.0.0 pbuilder1 vs. pbuilder2 ionos11-amd64 vs. i-capture-the-hostname The attached patch fixes this by setting VLC_COMPILE_BY and VLC_COMPILE_HOST to empty values in configure.ac. This patch does not address all reproducibility issues in vlc (e.g. build paths), though applying it reduces the diff for the remaining issues. Thanks for maintaining vlc! live well, vagrant From 01e2dcc51b31f1a06bcd07faa0ae3fbd0ddbe9c6 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Wed, 23 Jun 2021 19:33:47 + Subject: [PATCH 1/3] Disable embedding the build hostname and username in the binaries. https://tests.reproducible-builds.org/debian/issues/user_hostname_manually_added_requiring_further_investigation_issue.html --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 7db5256a8..5d6324cf9 100644 --- a/configure.ac +++ b/configure.ac @@ -4324,8 +4324,8 @@ AC_SUBST(VERSION_MINOR) AC_SUBST(VERSION_REVISION) AC_SUBST(VERSION_EXTRA) AC_SUBST(COPYRIGHT_YEARS) -AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "`whoami|sed -e 's/\\\/\\\/g'`", [user who ran configure]) -AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "`hostname -f 2>/dev/null || hostname`", [host which ran configure]) +AC_DEFINE_UNQUOTED(VLC_COMPILE_BY, "", [user who ran configure]) +AC_DEFINE_UNQUOTED(VLC_COMPILE_HOST, "", [host which ran configure]) AC_DEFINE_UNQUOTED(VLC_COMPILER, "`$CC -v 2>&1 | tail -n 1 | sed -e 's/ *$//'`", [compiler]) dnl dnl Handle substvars that use $(top_srcdir) -- 2.32.0 signature.asc Description: PGP signature