Bug#872184: quilt: please make the build reproducible

2017-08-14 Thread Philip Rinn 
Source: quilt
Version: 0.63-8.1
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: buildpath
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Dear Maintainer,

While working on the "reproducible builds" effort [1], we have noticed
that 'quilt' could not be built reproducibly.

The attached patch uses 'html2text' to produce the plain text version of the
manual. As a result the plain text version does not include absolute paths
anymore. Once applied, quilt can be built reproducibly in our current
experimental framework.

Regards,

Philip

 [1]: https://wiki.debian.org/ReproducibleBuilds
diff -Nru quilt-0.63/debian/control quilt-0.63/debian/control
--- quilt-0.63/debian/control	2016-12-21 02:36:16.0 +0100
+++ quilt-0.63/debian/control	2017-08-15 00:31:38.0 +0200
@@ -4,7 +4,7 @@
 Maintainer: Martin Quinson 
 Uploaders: Ryan Niebur 
 Build-Depends: debhelper (>= 9)
-Build-Depends-Indep: gettext, hevea, lynx, diffstat, perl, procmail, ed
+Build-Depends-Indep: gettext, hevea, html2text, diffstat, perl, procmail, ed
 Standards-Version: 3.9.8
 Vcs-git: git://anonscm.debian.org/collab-maint/quilt
 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/quilt.git
diff -Nru quilt-0.63/debian/rules quilt-0.63/debian/rules
--- quilt-0.63/debian/rules	2017-07-17 20:39:58.0 +0200
+++ quilt-0.63/debian/rules	2017-08-15 00:31:28.0 +0200
@@ -26,8 +26,7 @@
 	cd doc/tmp; LC_ALL=C hevea ../main.tex ; LC_ALL=C hevea ../main.tex; LC_ALL=C hevea ../main.tex
 	perl -pe 'if (/\\sh\{.*}/) {s:\\sh\{(.*)}:$$1:}'	\
 	 < doc/tmp/main.html > doc/quilt.html
-	LC_ALL=C perl -e '$$/ = undef; $$f=<>; $$f =~ s|]*?HREF="[^"]*#[^"]*">(.*?)|$$1|msg; print $$f;' < doc/tmp/main.html > doc/tmp/tmp.html
-	LC_ALL=C lynx doc/tmp/tmp.html -dump > doc/quilt.txt
+	LC_ALL=C html2text -style pretty -o doc/quilt.txt doc/quilt.html
 else
 	touch doc/quilt.html doc/quilt.txt
 endif


signature.asc
Description: OpenPGP digital signature
___
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Please review the draft for week 120's blog post

2017-08-14 Thread Chris Lamb 
Hi all,

Please review the draft for week 120's blog post:

  https://reproducible.alioth.debian.org/blog/drafts/120/

Feel free to commit any changes directly to drafts/120.mdwn in Git:

https://anonscm.debian.org/git/reproducible/blog.git/

I am very happy to reword and/or rework prior to publishing. I intend
to publish it no earlier than:

  https://time.is/compare/1700_16_Aug_2017_in_UTC

or

  $ date -d 'Wed, 16 Aug 2017 17:00:00 +'


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

___
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Re: More info about nondeterminism_added_by_pyqt5_pyrcc5

2017-08-14 Thread Chris Lamb 
Dear Federico,

> There are two possible solutions[2]: set the environment variable
> QT_HASH_SEED to a constant value before
> pyrcc5 is called (this is my current workaround) or call 
> qSetGlobalQHashSeed().
> 
> I can help with the implementation if needed.

Neat! Please do so. :)

Probably best to file that directly with the offending package and set
the various "usertags" so we can track it:

   https://wiki.debian.org/ReproducibleBuilds/Contribute#How_to_report_bugs


Indeed, would you be interested in updating our notes on this issue
directly? If so, please join our group on Alioth, and then clone our:

   https://anonscm.debian.org/git/reproducible/notes.git/

.. repository. The `packages.yml` and `issues.yml` files should be pretty
self-explanatory.

(If not, just let me know and I'll update them myself.)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

___
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

More info about nondeterminism_added_by_pyqt5_pyrcc5

2017-08-14 Thread Federico Brega 
Hello,

I'm packaging an application making use of pyrcc5 and I noticed the
nondeterminism it adds.
I see[1] that this is currently description is not correct.
You can see that pyrcc5 uses QHash, which is made to avoid algorithmic
complexity attacks[2]
introducing a randomization.

There are two possible solutions[2]: set the environment variable
QT_HASH_SEED to a constant value before
pyrcc5 is called (this is my current workaround) or call qSetGlobalQHashSeed().

I can help with the implementation if needed.

Regards
--
Federico

[1] 
https://tests.reproducible-builds.org/debian/issues/unstable/nondeterminism_added_by_pyqt5_pyrcc5_issue.html
[2] http://doc.qt.io/qt-5/qhash.html

___
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Bug#869868: Diffoscope should be much more flexible with respects to the ELF tools it uses

2017-08-14 Thread Daniel Egger 
Hi Chris,

> Can you give me an example? eg. Where are these binaries located, etc.
> etc. or are they in such bespoke dirs that the ability to override
> externally is required?

The issue here is: the tools are architecture dependent, for ARM binaries 
you'll need tools compiled with ARM support, e.g. 
https://packages.debian.org/buster/amd64/binutils-arm-none-eabi/filelist . They 
often live right next to the regular tools but are prefixed with the 
architecture triplet, but there're also custom toolchains which have the same 
triplet prefix but live in a custom prefix like /opt. The one without the 
triplet prefixed is in many cases only capable of handling the native and 
compatible architectures, so trying to use that on an ARM binary will not work.

Preferably diffoscope would look at the ELF binary and automagically try to use 
the correct binutils for processing but for the start I'd be happy if I could 
just tell it which tool to use rather than resorting to extreme measures like 
manipulating the binary search path or linking the desired binary over the 
generic name in a preferred binary path and then back again.

Servus,
  Daniel

___
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds

Bug#869868: Diffoscope should be much more flexible with respects to the ELF tools it uses

2017-08-14 Thread Chris Lamb 
Hi Daniel,

> However it doesn't stop there: With objdump you can't just pick
> *any* version but you need one with support for the precisely
> the target architecture you want to look at

Can you give me an example? eg. Where are these binaries located, etc.
etc. or are they in such bespoke dirs that the ability to override
externally is required?


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

___
Reproducible-builds mailing list
Reproducible-builds@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds