On Thu, 2020-08-27 at 13:06:56 +0000, Holger Levsen wrote: > On Thu, Aug 27, 2020 at 03:00:43PM +0200, Aurelien Jarno wrote: > > On 2020-08-27 13:25, Holger Levsen wrote: > > > Package: buildd.debian.org > > > Severity: wishlist > > > User: reproducible-bui...@lists.alioth.debian.org > > > Usertags: environment
> > > since a while dpkg adds a small note to a .buildinfo if /usr/local/sbin > > > is populated (which I'm not sure I agree is sensible, but it's what dpkg > > > currently does), eg > > > > > > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ > > > rgrep Build-Tainted-By: 08/ |wc -l > > > 35473 > > > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ > > > find 08 -name "*.buildinfo" | wc -l > > > 37182 > > > > > > so almost all .buildinfo files from August 2020 are tainted. > > > > > > (profitbricks7 is hosting https://buildinfos.debian.net if you want to > > > check > > > for yourself easily.) > > > > > > So how are they tainted: > > > > > > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ > > > grep -A 2 Build-Tainted-By: > > > 08/06/firejail_0.9.62-4_ppc64el-buildd.buildinfo > > > Build-Tainted-By: > > > usr-local-has-programs > > > Installed-Build-Depends: > > > > > > > > > And then, also, not all .buildinfo files are taited by > > > "usr-local-has-programs" because > > > holger@profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ > > > rgrep usr-local-has-programs 08/ |wc -l > > > 35017 > > > > > > (But I guess that's probably material for another bug report.) > > > > > > Any chance the Debian buildds could not have a tained /usr/local? > > > > The only file in /usr/local is /usr/local/sbin/policy-rc.d which is > > needed to prevent daemons to start in the chroot. Not sure how we can do > > things differently. > > thanks for that info! maybe dpkg could treat /usr/local not as tainted if the > only file in /usr/local is /usr/local/sbin/policy-rc.d ? While we could perhaps add an exception in the Debian vendor profile. It does look like this is working as intended? :) This is a local file that might affect the build, which is otherwise not trackable, say what "version" (with which changes) was being used, etc. I think ideally this would be using a system pathname and be part of a package that gets then listed in the .buildinfo files. Thanks, Guillem _______________________________________________ Reproducible-builds mailing list Reproducible-builds@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/reproducible-builds
