Your message dated Sun, 24 Nov 2024 21:35:29 +0000
with message-id <e1tfkgp-00fyug...@fasolo.debian.org>
and subject line Bug#1088144: fixed in cdbs 0.4.167
has caused the Debian Bug report #1088144,
regarding cdbs: please remove support for dh-buildinfo, superseded by .buildinfo
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1088144: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088144
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: cdbs
Severity: normal
Tags: patch
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
User: reproducible-bui...@lists.alioth.debian.org
Usertags: toolchain
Dear Maintainer,
I'm an occasional volunteer contributor to the Reproducible Builds[1] project,
and noticed recently that a reasonably large (1000+) number of Haskell packages
fail to rebuild deterministically according to the https://reproduce.debian.net
test infrastructure.
I believe that the cause relates to the fact that the affected packages use the
cdbs build system, often by means of include statements in their rules files,
when build their documentation binary packages (*-doc).
In particular, a default-enabled call to dh-buildinfo in the debhelper.mk.in
template[2] inhibits rebuild reproducibility for the packages, because the
'buildinfo_*.gz' files produced in the resulting output Debian binary packages
contain package-and-version information from the build host -- particularly
Essential set packages -- that may change over time despite having no influence
on other content in the binary documentation package.
I discovered this after attempting a local rebuild of src:haskell-time-parsers
and finding that the 'login' package mentioned in the 'buildinfo_all.gz' file
was different between my local libghc-time-parsers-doc_0.2-2_all.deb build
output and the version of that file hosted in the Debian archive.
The preferred format[4] to declare the relevant set of build dependencies to
(re)construct a Debian binary package identically from source is .buildinfo[5],
and I believe that this offers a replacement for the dh-buildinfo call.
I would like to request that dh-buildinfo is removed from the build-deps for
the build-depends that it generates[2] for packages that use cdbs as a
buildsystem.
I suggest this (with patch attached) as a way to allow package maintainers to
opt-in to continuing to use dh-buildinfo for their packages if they want to by
adding it to their build-dep(-indep) clauses, while simultaneously allowing the
majority of packages to achieve more future-proof build reproducibility.
Regards,
James
[1] - https://reproducible-builds.org
[2] -
https://sources.debian.org/src/cdbs/0.4.166/1/rules/debhelper.mk.in/#L105-L106
[3] - https://manpages.debian.org/bookworm/devscripts/debrebuild.1.en.html
[4] - https://reproducible-builds.org/tools/
[5] - https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles
From: James Addison <j...@jp-hosting.net>
Date: Sat, 23 Nov 2024 20:26:42 +0000
Subject: Remove default addition of dh-buildinfo build-dep
The dh_buildinfo helper produces a list of dependencies found on
the build host, to aid downstream sites rebuilding from source.
However, this file can in fact inhibit reproducibility, because
some dependencies that vary on the build host may not be relevant
to the build process.
A more recent and preferred format of the Reproducible Builds[1]
project that achieves the same goal for Debian packages is the
.buildinfo format; as of Y2024 these files are widely used and are
in active use verifying bit-for-bit package (re)build integrity.
So, remove the default dependency on dh-buildinfo; individual
package maintainers may choose to enable it if they wish to.
---
Index: cdbs-0.4.166/1/rules/debhelper.mk.in
===================================================================
--- cdbs-0.4.166.orig/1/rules/debhelper.mk.in
+++ cdbs-0.4.166/1/rules/debhelper.mk.in
@@ -102,9 +102,6 @@ CDBS_BUILD_DEPENDS_rules_debhelper_v10 ?
CDBS_BUILD_DEPENDS_rules_debhelper_v$(DH_COMPAT) ?= debhelper (>=
$(DH_COMPAT)~)
CDBS_BUILD_DEPENDS +=, $(CDBS_BUILD_DEPENDS_rules_debhelper_v$(DH_COMPAT))
-CDBS_BUILD_DEPENDS_rules_debhelper_buildinfo ?= dh-buildinfo
-CDBS_BUILD_DEPENDS +=, $(CDBS_BUILD_DEPENDS_rules_debhelper_buildinfo)
-
ifeq ($(DEB_VERBOSE_ALL), yes)
DH_VERBOSE = 1
endif
--- End Message ---
--- Begin Message ---
Source: cdbs
Source-Version: 0.4.167
Done: Holger Levsen <hol...@debian.org>
We believe that the bug you reported is fixed in the latest version of
cdbs, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1088...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <hol...@debian.org> (supplier of updated cdbs package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 24 Nov 2024 22:19:54 +0100
Source: cdbs
Architecture: source
Version: 0.4.167
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packa...@qa.debian.org>
Changed-By: Holger Levsen <hol...@debian.org>
Closes: 1088144
Changes:
cdbs (0.4.167) unstable; urgency=medium
.
* QA upload from the Reproducible Builds team.
* Drop dh_buildinfo support, dpkg since 2016 produces .buildinfo files.
Thanks to James Addison. Closes: #1088144. Also see #1068809.
Checksums-Sha1:
9551ffb9aab2608c998abe4209724808e6ec9193 1698 cdbs_0.4.167.dsc
032c76f31ecf418b62d46ebe2b0358d0941bb189 192968 cdbs_0.4.167.tar.xz
036731d0d6aaf9e44d213a8ed0787a938bcdb65a 4708 cdbs_0.4.167_source.buildinfo
Checksums-Sha256:
7fabc859bbcbd3d2b01b47658265590d1e5241f0ace7b5a8e59c88e524b11e05 1698
cdbs_0.4.167.dsc
78d984d5658df1ea6e2e7315ed3b10e69597e70a266a375ad84f0fa94cc6366c 192968
cdbs_0.4.167.tar.xz
f9d1c5110307282deeb188b57313af4d3d7ad37fd4f99e72bff0bea9876b2b2f 4708
cdbs_0.4.167_source.buildinfo
Files:
f019accbfbffa26b0ab8906f825c4e25 1698 devel optional cdbs_0.4.167.dsc
dbc402dda01dedd13746806979c528ed 192968 devel optional cdbs_0.4.167.tar.xz
2628ed44fbc65a8ad7d121392b810dc5 4708 devel optional
cdbs_0.4.167_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmdDmNEACgkQCRq4Vgaa
qhwdLBAAh6ZJuiZAvEcOGLYDts4LBoezmZ7kG87VwSfoq5ONj636Udp/YYNsQcwR
lulE9y5bgQEQMCoRnrpcZEvruvy0kBM9Se8xyd3ilvMnUkfFG4JIJEPPr5O2yf4f
ABvHv2+xLDeA7vp1dA61OYEkCVNtu7c8RUkLOy8EVSHnvooEAy8hvrYOlfA98OYc
+eLO0Xl8CHJ687bHmXvHk1xmWGPKXzkulDnD+dhi+r6noI0nrs/RiGivHVTVGhKm
uX5AcgkeXgITDEd5avTSM4UkcoQNFFjwzKT3zqXFrYiPnOxZrAFjlIstzHGWOiHs
4JtoxPcB7ngzqG/0ATUGw/TKMqHetCZ23ZU0OmAMj/SITmqAQfmsCVmjVHkWAApt
d7GAX2RV/0/ex55HWXXeK0v3kH+0g5UMbTpnvMelpmoTJcqN1pBO7m2IM/i9qPUj
g6icllXmpFOKAaO0GKqfoEKcOS8KXqV93t6B4A/3lQED9T3lhVHmjyEm/uQRJE79
Kifc97IEOzIloyuHsxeed/7HnParn1QV000YpwoCZlOhc3FP9dPt3yb3C/xo4xMm
AK6eI6S8BrxU3ywukfGgL9wJb7PXmbdZNzHBE+ygXI3jSv08pwCwKZlOAi7VxdZL
smRJMkmPBAGUteu6uUK/zRtWaktxe9axz6/IiAPSZ6uOYUbvYQw=
=DOgl
-----END PGP SIGNATURE-----
pgpmkUohebJ0d.pgp
Description: PGP signature
--- End Message ---
