Hi, I have worked on porting the security issues fixed in wheezy into jessie for the Mercurial package, as I previously mentioned here.
I was not able to make the package build reproducibly. The test suite fails during the build because of an ordering issue in the `hg serve` output and I cannot figure out why. Here's an example of the build failure: --- /<<PKGBUILDDIR>>/tests/test-http-permissions.t +++ /<<PKGBUILDDIR>>/tests/test-http-permissions.t.err @@ -303,14 +303,14 @@ $ "$TESTDIR/get-with-headers.py" $LOCALIP:$HGPORT '?cmd=listkeys' --requestheader 'x-hgarg-1=namespace=phases' 200 Script output follows - cb9a9f314b8b07ba71012fcdbc544b5a4d82ff5b 1 - publishing True (no-eol) + publishing True + cb9a9f314b8b07ba71012fcdbc544b5a4d82ff5b 1 (no-eol) $ "$TESTDIR/get-with-headers.py" $LOCALIP:$HGPORT '?cmd=batch' --requestheader 'x-hgarg-1=cmds=listkeys+namespace%3Dphases' 200 Script output follows - cb9a9f314b8b07ba71012fcdbc544b5a4d82ff5b 1 - publishing True (no-eol) + publishing True + cb9a9f314b8b07ba71012fcdbc544b5a4d82ff5b 1 (no-eol) $ "$TESTDIR/get-with-headers.py" $LOCALIP:$HGPORT '?cmd=customreadnoperm' 405 push requires POST request Runnning the same test on stretch gives the expected result: it's unclear why those two lines are reversed. There are provisions in `get-with-headers.py` to ensure consistent output, but it works only for headers and JSON output, which isn't used in the test. The package I managed to build obviously passes that test suite, and *reliably*, that is if you install the package and rerun the above tests, it will work consistently. So something in the *build* process changes the output non-deterministically, which is very strange to me. I almost uploaded the resulting package, but figured it might FTBFS on the buildds, so I uploaded the ready-to-upload package on people: https://people.debian.org/~anarcat/debian/jessie-lts/ I am out of time for this month so I need to give this back to the pool. Hopefully someone else with better Mercurial chops can figure this out. A. -- Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. - Benjamin Franklin, 1755
