Source: powerline Version: 1.2-2 Severity: normal User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps fileordering
Hello, While working on the “reproducible builds” effort [1], we have noticed that powerline could not be built reproducibly and it leaks the users environment into the resulting binary package when building. The environment appears in the file ../usr/share/doc/python-powerline-doc/html/develop/extensions.html which is generated from powerline/renderer.py line 47. Since the environment is different between different users this makes the package unreproducible. It might also leak sensitive data the user happens to have in their environment into the package build. Maybe the environment dump should be filtered? What is the reason for it being stored in segment_info in the first place? What is the purpose of storing the value of $HOME during the package build in the member 'home'? If these values are important for the operation of the package then they have to be kept but they should not be included with their values during the package build in the sphinx documentation. Cheers, akira [1]: https://wiki.debian.org/ReproducibleBuilds -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
