Source: gbrowse Severity: normal Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
The OpenIDConsumerSecret in /etc/gbrowse/ConfigData.pm is a randomized value: https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/gbrowse.html 'OpenIDConsumerSecret'·=>·'867318970136679', vs. 'OpenIDConsumerSecret'·=>·'940203427089713', The attached patch to Build.PL fixes this by initializing the random seed using the SOURCE_DATE_EPOCH environment variable. If this is really a secret, all debian users using the same package will share the same secret, so there may be some security implications! A better approach might be to generate this value at run time or package installation time, but I do not know enough about how gbrowse uses this to propose a specific approach. Unfortunately, this is not the only reproducibility issue affecting gbrowse, but applying this patch should make it easier to troubleshoot the remaining issues. Thanks for maintaining gbrowse! live well, vagrant
From 00a106ede6981071dcb346c0e2efd196f0cf9662 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian <vagr...@reproducible-builds.org> Date: Fri, 9 Jun 2023 15:59:14 -0700 Subject: [PATCH] Build.PL: Seed random number generator with SOURCE_DATE_EPOCH. --- Build.PL | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Build.PL b/Build.PL index 7a664ab..3b8322f 100644 --- a/Build.PL +++ b/Build.PL @@ -128,6 +128,8 @@ for my $arg (keys %{$build->private_props}) { $build->config_data($arg=>$value); $argc++; } +# Seed the random number generator with the value of SOURCE_DATE_EPOCH +srand(int($ENV{SOURCE_DATE_EPOCH})); $build->config_data(OpenIDConsumerSecret=>int(1e15*rand())); $build->config_done(1) if $argc > 0; -- 2.39.2
signature.asc
Description: PGP signature