Bug#1019136: marked as done (cmake injects randomly named dummy function to output binary and it breaks reproducible build)

[Debian Bug Tracking System]

Your message dated Tue, 13 Sep 2022 21:06:51 +0000
with message-id <e1oyd7l-0070fp...@fasolo.debian.org>
and subject line Bug#1019136: fixed in cmake 3.24.2-1
has caused the Debian Bug report #1019136,
regarding cmake injects randomly named dummy function to output binary and it 
breaks reproducible build
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1019136: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1019136
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: cmake
Version: 3.24.1-1
Severity: normal
X-Debbugs-Cc: yokota.h...@gmail.com

Dear Maintainer,

Current CMake (3.24.1) injects randomly named dummy function to output binary.
Output binary works well, but this issue breaks reproducible build.

Injected code can be examine from here:
  
https://salsa.debian.org/cmake-team/cmake/-/blob/debian/3.24.1-1/Source/cmQtAutoMocUic.cxx#L2177
```c++
    // Placeholder content
    cmCryptoHash hash(cmCryptoHash::AlgoSHA256);
    const std::string hashedPath = hash.HashString(compAbs);

    const std::string functionName =
      "cmake_automoc_silence_linker_warning" + hashedPath;
    content += "// No files found that require moc or the moc files are "
               "included\n"
               "void " +
      functionName + "() {}\n";
```

Randomly named dummy function was generated from absolute path name and SHA256.
Absolute path name might be vary in each development machines because
source code will be placed in each developer's own path.
So, this feature generates non-deterministic output, and breaks
reproducible build.

Here is issue about this feature in upstream:
  https://gitlab.kitware.com/cmake/cmake/-/issues/23551
And merge request:
  https://gitlab.kitware.com/cmake/cmake/-/merge_requests/7558

This bug will break Debian "calibre" package from reproducible build.
  
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/calibre.html

I want to make Debian "calibre" package to reproducible.

--
YOKOTA Hiroshi

--- End Message ---

--- Begin Message ---

Source: cmake
Source-Version: 3.24.2-1
Done: Timo Röhling <roehl...@debian.org>

We believe that the bug you reported is fixed in the latest version of
cmake, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1019...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Timo Röhling <roehl...@debian.org> (supplier of updated cmake package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Sep 2022 21:38:03 +0200
Source: cmake
Architecture: source
Version: 3.24.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian CMake Team <pkg-cmake-t...@lists.alioth.debian.org>
Changed-By: Timo Röhling <roehl...@debian.org>
Closes: 1019136
Changes:
 cmake (3.24.2-1) unstable; urgency=medium
 .
   * New upstream version 3.24.2
     - Revert AUTOMOC dummy function (Closes: #1019136)
Checksums-Sha1:
 f2fff25e2b35d17d066b71b2fbb9097681b98c17 3419 cmake_3.24.2-1.dsc
 c2441ed6e00ba2c5ad0b7cd06afa8057769b9c1b 10396126 cmake_3.24.2.orig.tar.gz
 2b8700aeb7c246b6854e5117ccbb628ff5ded69b 32504 cmake_3.24.2-1.debian.tar.xz
Checksums-Sha256:
 1cda7838f66caa436879576f2d3581448e8d4754b50c9099bba36419482c5c78 3419 
cmake_3.24.2-1.dsc
 0d9020f06f3ddf17fb537dc228e1a56c927ee506b486f55fe2dc19f69bf0c8db 10396126 
cmake_3.24.2.orig.tar.gz
 65674e9de5f492a705188cccfbf153af3d8144e35c7885bff6e54c0403fab53b 32504 
cmake_3.24.2-1.debian.tar.xz
Files:
 8e1c4a8dd834bb56d1613a658d69c24e 3419 devel optional cmake_3.24.2-1.dsc
 84d08f30b110401d8178f0708c19f1fe 10396126 devel optional 
cmake_3.24.2.orig.tar.gz
 0361cb3e3d2dad34bf7c1620836fab1a 32504 devel optional 
cmake_3.24.2-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQHIBAEBCgAyFiEEJvtDgpxjkjCIVtam+C8H+466LVkFAmMg6R8UHHJvZWhsaW5n
QGRlYmlhbi5vcmcACgkQ+C8H+466LVlD9wv/TH2a3Bgf6aRkEAH/Guf+zHAK5ldm
i9qgRu8xquiVrqcNB0G9/qy5DANV7qJ27y7Nk7bM9fhGnpSwjfOjz9TqubNRf8qO
Af06Yxoa7YrX2jJE/JkiIqvvhX8ADMtx6ILs2OstkjUutNqzi8ZOZ6LY8Aa6NNMI
I6JTFnq0I22aPGa9LiIJL+TTca8czDkgavkX4jR1gjGPzr5di58gwCdEWBU7El38
1oo1N1jf+Y7XCyuUlzH613R99eM64syqKk/UWt4wfqsV5nFoTTw+v+NAaunzP8Kq
4jwG37J0PKyf6z4OZMzK+NyVycZoko7pNA/57+zjHLxh03UyPfOQSIpX1VVcG/qS
fUoEYbyriM7gF/KOhmJf+OYAzWGsORJupVYsfpCcV51SGAQp/+e4Mjo7O4pGH6PE
fWM45mf/5ZYU4O8FymulKaCeqLYNHBOnfOzLu+tDvW5GjzsqqtTKLQ3Q2ggz8WyS
7QGbXb4+1JbFVZmQ4f2Sxs3QR8UgoA3FSUTe
=W0Gk
-----END PGP SIGNATURE-----

--- End Message ---