Bug#834050: libpam-ldap: please make the build reproducible
On 2022-11-17, Lucas Castro wrote: > Thanks. = ) Well hi there! Would you mind me re-uploading without delay or a reduced delay? live well, vagrant > Em 17/11/2022 16:48, Vagrant Cascadian escreveu: >> Control: tags 834050 pending >> >> On 2017-02-15, Chris Lamb wrote: >>> Lucas Castro wrote: >>> I suppose the patch hadn't fixed the bug. >>> Ah, try: >>> >>>--- libpam-ldap-186.orig/vers_string >>>+++ libpam-ldap-186/vers_string >>>@@ -14,6 +14,10 @@ if ($ENV{'PROGRAM'}) { $PROGRAM = $ENV{' >>> >>> chop($AUTHOR); >>> chop($DATE=`date -u`); >>>+if (defined $ENV{SOURCE_DATE_EPOCH}) { >>>+chop($DATE=`LC_ALL=C date --date="@\${SOURCE_DATE_EPOCH}" -u`); >>>+$AUTHOR="NO DEVELOPER SET"; >>>+} >>> chop($CWD=`pwd`); >>> >>> ($PROJECT, $VERSION) = split(/\-/, &getCVSVersionInfo()); >> This solved both the timestamp and build user issue! >> >> There was another issue where the package and version information is >> derived from the top-level build directory, but this can be fixed easily >> by passing PROGRAM to dh_auto_build. >> >> Uploaded an NMU to DELAYED/10 which fixes both outstanding issues: >> >> diff -Nru libpam-ldap-186/debian/changelog libpam-ldap-186/debian/changelog >> --- libpam-ldap-186/debian/changelog 2017-05-31 10:19:41.0 -0700 >> +++ libpam-ldap-186/debian/changelog 2022-11-17 11:42:13.0 -0800 >> @@ -1,3 +1,17 @@ >> +libpam-ldap (186-4.1) unstable; urgency=medium >> + >> + * Non-maintainer upload. >> + >> + [ Chris Lamb ] >> + * vers_string: Use fixed value for AUTHOR if SOURCE_DATE_EPOCH is >> +set. (Closes: #834050) >> + >> + [ Vagrant Cascadian ] >> + * debian/rules: Pass PROGRAM to dh_auto_build override. >> +(Closes: #834050) >> + >> + -- Vagrant Cascadian Thu, 17 Nov 2022 >> 11:42:13 -0800 >> + >> libpam-ldap (186-4) unstable; urgency=medium >> >> * Install /usr/share/pam-configs/ldap >> diff -Nru libpam-ldap-186/debian/patches/series >> libpam-ldap-186/debian/patches/series >> --- libpam-ldap-186/debian/patches/series2017-02-10 20:39:24.0 >> -0800 >> +++ libpam-ldap-186/debian/patches/series2022-11-17 11:42:13.0 >> -0800 >> @@ -6,3 +6,4 @@ >> reproducible_build.patch >> configfile_install.patch >> configfile_references.patch >> +vers_string-use-fixed-value-for-author-i.patch >> diff -Nru >> libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch >> >> libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch >> --- >> libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch >> 1969-12-31 16:00:00.0 -0800 >> +++ >> libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch >> 2022-11-17 11:42:13.0 -0800 >> @@ -0,0 +1,21 @@ >> +From: Chris Lamb >> +Date: Wed, 15 Feb 2017 17:12:58 +1300 >> +X-Dgit-Generated: 186-4.1 98efdb0f8a716ed9c1403523c90f3b0b6ff8c493 >> +Subject: vers_string: Use fixed value for AUTHOR if SOURCE_DATE_EPOCH is >> set. >> + >> +(Closes: #834050) >> + >> +--- >> + >> +diff --git a/vers_string b/vers_string >> +index 11af68a..5a072f3 100755 >> +--- a/vers_string >> b/vers_string >> +@@ -16,6 +16,7 @@ chop($AUTHOR); >> + chop($DATE=`date -u`); >> + if (defined $ENV{SOURCE_DATE_EPOCH}) { >> +chop($DATE=`LC_ALL=C date --date="@\${SOURCE_DATE_EPOCH}" -u`); >> ++ $AUTHOR="NO DEVELOPER SET"; >> + } >> + chop($CWD=`pwd`); >> + >> diff -Nru libpam-ldap-186/debian/rules libpam-ldap-186/debian/rules >> --- libpam-ldap-186/debian/rules 2017-05-31 10:19:28.0 -0700 >> +++ libpam-ldap-186/debian/rules 2022-11-17 11:42:13.0 -0800 >> @@ -4,6 +4,8 @@ >> >> export DEB_BUILD_MAINT_OPTIONS= hardening=+bindnow >> >> +include /usr/share/dpkg/pkg-info.mk >> + >> %: >> dh $@ --with autoreconf >> >> @@ -17,3 +19,6 @@ >> dh_install >> install -D -m 644 debian/libpam-ldap.pam-auth-update \ >> debian/libpam-ldap/usr/share/pam-configs/ldap >> + >> +override_dh_auto_build: >> +dh_auto_build -- PROGRAM=$(DEB_SOURCE)-$(DEB_VERSION_UPSTREAM) >> >> >> >> live well, >>vagrant signature.asc Description: PGP signature
Bug#834050: libpam-ldap: please make the build reproducible
Thanks. = ) Em 17/11/2022 16:48, Vagrant Cascadian escreveu: Control: tags 834050 pending On 2017-02-15, Chris Lamb wrote: Lucas Castro wrote: I suppose the patch hadn't fixed the bug. Ah, try: --- libpam-ldap-186.orig/vers_string +++ libpam-ldap-186/vers_string @@ -14,6 +14,10 @@ if ($ENV{'PROGRAM'}) { $PROGRAM = $ENV{' chop($AUTHOR); chop($DATE=`date -u`); +if (defined $ENV{SOURCE_DATE_EPOCH}) { +chop($DATE=`LC_ALL=C date --date="@\${SOURCE_DATE_EPOCH}" -u`); +$AUTHOR="NO DEVELOPER SET"; +} chop($CWD=`pwd`); ($PROJECT, $VERSION) = split(/\-/, &getCVSVersionInfo()); This solved both the timestamp and build user issue! There was another issue where the package and version information is derived from the top-level build directory, but this can be fixed easily by passing PROGRAM to dh_auto_build. Uploaded an NMU to DELAYED/10 which fixes both outstanding issues: diff -Nru libpam-ldap-186/debian/changelog libpam-ldap-186/debian/changelog --- libpam-ldap-186/debian/changelog2017-05-31 10:19:41.0 -0700 +++ libpam-ldap-186/debian/changelog2022-11-17 11:42:13.0 -0800 @@ -1,3 +1,17 @@ +libpam-ldap (186-4.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Chris Lamb ] + * vers_string: Use fixed value for AUTHOR if SOURCE_DATE_EPOCH is +set. (Closes: #834050) + + [ Vagrant Cascadian ] + * debian/rules: Pass PROGRAM to dh_auto_build override. +(Closes: #834050) + + -- Vagrant Cascadian Thu, 17 Nov 2022 11:42:13 -0800 + libpam-ldap (186-4) unstable; urgency=medium * Install /usr/share/pam-configs/ldap diff -Nru libpam-ldap-186/debian/patches/series libpam-ldap-186/debian/patches/series --- libpam-ldap-186/debian/patches/series 2017-02-10 20:39:24.0 -0800 +++ libpam-ldap-186/debian/patches/series 2022-11-17 11:42:13.0 -0800 @@ -6,3 +6,4 @@ reproducible_build.patch configfile_install.patch configfile_references.patch +vers_string-use-fixed-value-for-author-i.patch diff -Nru libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch --- libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch 1969-12-31 16:00:00.0 -0800 +++ libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch 2022-11-17 11:42:13.0 -0800 @@ -0,0 +1,21 @@ +From: Chris Lamb +Date: Wed, 15 Feb 2017 17:12:58 +1300 +X-Dgit-Generated: 186-4.1 98efdb0f8a716ed9c1403523c90f3b0b6ff8c493 +Subject: vers_string: Use fixed value for AUTHOR if SOURCE_DATE_EPOCH is set. + +(Closes: #834050) + +--- + +diff --git a/vers_string b/vers_string +index 11af68a..5a072f3 100755 +--- a/vers_string b/vers_string +@@ -16,6 +16,7 @@ chop($AUTHOR); + chop($DATE=`date -u`); + if (defined $ENV{SOURCE_DATE_EPOCH}) { + chop($DATE=`LC_ALL=C date --date="@\${SOURCE_DATE_EPOCH}" -u`); ++ $AUTHOR="NO DEVELOPER SET"; + } + chop($CWD=`pwd`); + diff -Nru libpam-ldap-186/debian/rules libpam-ldap-186/debian/rules --- libpam-ldap-186/debian/rules2017-05-31 10:19:28.0 -0700 +++ libpam-ldap-186/debian/rules2022-11-17 11:42:13.0 -0800 @@ -4,6 +4,8 @@ export DEB_BUILD_MAINT_OPTIONS= hardening=+bindnow +include /usr/share/dpkg/pkg-info.mk + %: dh $@ --with autoreconf @@ -17,3 +19,6 @@ dh_install install -D -m 644 debian/libpam-ldap.pam-auth-update \ debian/libpam-ldap/usr/share/pam-configs/ldap + +override_dh_auto_build: + dh_auto_build -- PROGRAM=$(DEB_SOURCE)-$(DEB_VERSION_UPSTREAM) live well, vagrant OpenPGP_signature Description: OpenPGP digital signature
Bug#834050: libpam-ldap: please make the build reproducible
Control: tags 834050 pending On 2017-02-15, Chris Lamb wrote: > Lucas Castro wrote: > >> I suppose the patch hadn't fixed the bug. > > Ah, try: > > --- libpam-ldap-186.orig/vers_string > +++ libpam-ldap-186/vers_string > @@ -14,6 +14,10 @@ if ($ENV{'PROGRAM'}) { $PROGRAM = $ENV{' > >chop($AUTHOR); >chop($DATE=`date -u`); > +if (defined $ENV{SOURCE_DATE_EPOCH}) { > + chop($DATE=`LC_ALL=C date --date="@\${SOURCE_DATE_EPOCH}" -u`); > + $AUTHOR="NO DEVELOPER SET"; > +} >chop($CWD=`pwd`); > >($PROJECT, $VERSION) = split(/\-/, &getCVSVersionInfo()); This solved both the timestamp and build user issue! There was another issue where the package and version information is derived from the top-level build directory, but this can be fixed easily by passing PROGRAM to dh_auto_build. Uploaded an NMU to DELAYED/10 which fixes both outstanding issues: diff -Nru libpam-ldap-186/debian/changelog libpam-ldap-186/debian/changelog --- libpam-ldap-186/debian/changelog2017-05-31 10:19:41.0 -0700 +++ libpam-ldap-186/debian/changelog2022-11-17 11:42:13.0 -0800 @@ -1,3 +1,17 @@ +libpam-ldap (186-4.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Chris Lamb ] + * vers_string: Use fixed value for AUTHOR if SOURCE_DATE_EPOCH is +set. (Closes: #834050) + + [ Vagrant Cascadian ] + * debian/rules: Pass PROGRAM to dh_auto_build override. +(Closes: #834050) + + -- Vagrant Cascadian Thu, 17 Nov 2022 11:42:13 -0800 + libpam-ldap (186-4) unstable; urgency=medium * Install /usr/share/pam-configs/ldap diff -Nru libpam-ldap-186/debian/patches/series libpam-ldap-186/debian/patches/series --- libpam-ldap-186/debian/patches/series 2017-02-10 20:39:24.0 -0800 +++ libpam-ldap-186/debian/patches/series 2022-11-17 11:42:13.0 -0800 @@ -6,3 +6,4 @@ reproducible_build.patch configfile_install.patch configfile_references.patch +vers_string-use-fixed-value-for-author-i.patch diff -Nru libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch --- libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch 1969-12-31 16:00:00.0 -0800 +++ libpam-ldap-186/debian/patches/vers_string-use-fixed-value-for-author-i.patch 2022-11-17 11:42:13.0 -0800 @@ -0,0 +1,21 @@ +From: Chris Lamb +Date: Wed, 15 Feb 2017 17:12:58 +1300 +X-Dgit-Generated: 186-4.1 98efdb0f8a716ed9c1403523c90f3b0b6ff8c493 +Subject: vers_string: Use fixed value for AUTHOR if SOURCE_DATE_EPOCH is set. + +(Closes: #834050) + +--- + +diff --git a/vers_string b/vers_string +index 11af68a..5a072f3 100755 +--- a/vers_string b/vers_string +@@ -16,6 +16,7 @@ chop($AUTHOR); + chop($DATE=`date -u`); + if (defined $ENV{SOURCE_DATE_EPOCH}) { + chop($DATE=`LC_ALL=C date --date="@\${SOURCE_DATE_EPOCH}" -u`); ++ $AUTHOR="NO DEVELOPER SET"; + } + chop($CWD=`pwd`); + diff -Nru libpam-ldap-186/debian/rules libpam-ldap-186/debian/rules --- libpam-ldap-186/debian/rules2017-05-31 10:19:28.0 -0700 +++ libpam-ldap-186/debian/rules2022-11-17 11:42:13.0 -0800 @@ -4,6 +4,8 @@ export DEB_BUILD_MAINT_OPTIONS= hardening=+bindnow +include /usr/share/dpkg/pkg-info.mk + %: dh $@ --with autoreconf @@ -17,3 +19,6 @@ dh_install install -D -m 644 debian/libpam-ldap.pam-auth-update \ debian/libpam-ldap/usr/share/pam-configs/ldap + +override_dh_auto_build: + dh_auto_build -- PROGRAM=$(DEB_SOURCE)-$(DEB_VERSION_UPSTREAM) live well, vagrant signature.asc Description: PGP signature
Bug#834050: libpam-ldap: please make the build reproducible
On 9/2/20 7:52 PM, Chris Lamb wrote: Hi Lucas, I'm little busy this days, If someone could make patch, please make a NMU. I think I will personally refrain from doing an NMU for such an important security-related package for this issue, but thank you for the 'go ahead'. Indeed, given the importance of this package, is it ridiculous to suggest seeking a co-maintainer on debian-devel? Of course not. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `- -- Lucas Castro
Bug#834050: libpam-ldap: please make the build reproducible
Hi Lucas, > I'm little busy this days, > > If someone could make patch, please make a NMU. I think I will personally refrain from doing an NMU for such an important security-related package for this issue, but thank you for the 'go ahead'. Indeed, given the importance of this package, is it ridiculous to suggest seeking a co-maintainer on debian-devel? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org 🍥 chris-lamb.co.uk `-
Bug#834050: libpam-ldap: please make the build reproducible
I'm little busy this days, If someone could make patch, please make a NMU. On 9/1/20 7:53 PM, Chris Lamb wrote: Chris Lamb wrote: [..] Gentle ping on this? Regards, -- Lucas Castro
Bug#834050: libpam-ldap: please make the build reproducible
Chris Lamb wrote: > [..] Gentle ping on this? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#834050: libpam-ldap: please make the build reproducible
Lucas Castro wrote: > I suppose the patch hadn't fixed the bug. Ah, try: --- libpam-ldap-186.orig/vers_string +++ libpam-ldap-186/vers_string @@ -14,6 +14,10 @@ if ($ENV{'PROGRAM'}) { $PROGRAM = $ENV{' chop($AUTHOR); chop($DATE=`date -u`); +if (defined $ENV{SOURCE_DATE_EPOCH}) { + chop($DATE=`LC_ALL=C date --date="@\${SOURCE_DATE_EPOCH}" -u`); + $AUTHOR="NO DEVELOPER SET"; +} chop($CWD=`pwd`); ($PROJECT, $VERSION) = split(/\-/, &getCVSVersionInfo()); Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#834050: libpam-ldap: please make the build reproducible
Hello, I suppose the patch hadn't fixed the bug. It can be check on [1]. [1] https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/libpam-ldap.html Em 04-02-2017 20:54, Lucas Castro escreveu: > > Sorry, I hadn't noticed the report. > > Tomorrow I'm going to take a loot at it. > > > -- > Lucas Castro > Em 04-02-2017 18:00, Chris Lamb escreveu: >>> this patch and uploading? >> Friendly ping on this :) >> >> >> Best wishes, > signature.asc Description: OpenPGP digital signature
Bug#834050: libpam-ldap: please make the build reproducible
Sorry, I hadn't noticed the report. Tomorrow I'm going to take a loot at it. -- Lucas Castro Em 04-02-2017 18:00, Chris Lamb escreveu: >> this patch and uploading? > Friendly ping on this :) > > > Best wishes, signature.asc Description: OpenPGP digital signature
Bug#834050: libpam-ldap: please make the build reproducible
> Would you consider applying this patch and uploading? Friendly ping on this :) Best wishes, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#834050: libpam-ldap: please make the build reproducible
Dear Maintainer, > Source: libpam-ldap > Version: 184-8.5 > Tags: patch There hasn't seem to be any update on this bug in 66 days, in which time the Reproducible Builds effort has come on a long way. :) Would you consider applying this patch and uploading? Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#834050: libpam-ldap: please make the build reproducible
Source: libpam-ldap Version: 186-1 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org Hi, Whilst working on the "reproducible builds" effort [0], we noticed that libpam-ldap could not be built reproducibly. Patch attached. [0] https://wiki.debian.org/ReproducibleBuilds Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- --- a/debian/patches/reproducible_build.patch 1970-01-01 01:00:00.0 +0100 --- b/debian/patches/reproducible_build.patch 2016-08-11 17:24:10.813698405 +0100 @@ -0,0 +1,16 @@ +Description: Make the build reproducible +Author: Chris Lamb +Last-Update: 2016-08-11 + +--- libpam-ldap-186.orig/vers_string libpam-ldap-186/vers_string +@@ -14,6 +14,9 @@ if ($ENV{'PROGRAM'}) { $PROGRAM = $ENV{' + + chop($AUTHOR); + chop($DATE=`date -u`); ++if (defined $ENV{SOURCE_DATE_EPOCH}) { ++ chop($DATE=`LC_ALL=C date --date="@\${SOURCE_DATE_EPOCH}" -u`); ++} + chop($CWD=`pwd`); + + ($PROJECT, $VERSION) = split(/\-/, &getCVSVersionInfo()); --- a/debian/patches/series 2016-08-11 17:18:11.882715439 +0100 --- b/debian/patches/series 2016-08-11 17:24:09.565688068 +0100 @@ -3,3 +3,4 @@ log_shadowlastchange_failure username_for_memberuid manpage_fix_spell.patch +reproducible_build.patch