Bug#1020809: aespipe: reproducible-builds: build path embedded in /usr/bin/aespipe

[Chris Lamb]

tags 661079 + pending patch
tags 1020809 + pending patch
thanks

I've just uploaded aespipe 2.4d-1.1 to DELAYED/10:
  
  aespipe (2.4d-1.1) unstable; urgency=medium
  .
* Non-maintainer upload.
* Move to dpkg-buildflags(1) in debian/rules:
  - Ensure that the stack is not executable. (Closes: #661079)
  - Make the build reproducible by setting -fdebug-prefix-map.
(Closes: #1020809)

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for aespipe-2.4d aespipe-2.4d

 changelog |   10 ++
 rules |   22 ++
 2 files changed, 16 insertions(+), 16 deletions(-)

diff -Nru aespipe-2.4d/debian/changelog aespipe-2.4d/debian/changelog
--- aespipe-2.4d/debian/changelog   2016-11-28 11:39:38.0 +
+++ aespipe-2.4d/debian/changelog   2022-12-08 17:14:21.0 +
@@ -1,3 +1,13 @@
+aespipe (2.4d-1.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Move to dpkg-buildflags(1) in debian/rules:
+- Ensure that the stack is not executable. (Closes: #661079)
+- Make the build reproducible by setting -fdebug-prefix-map.
+  (Closes: #1020809)
+
+ -- Chris Lamb   Thu, 08 Dec 2022 17:14:21 +
+
 aespipe (2.4d-1) unstable; urgency=medium
 
   * New upstream release
diff -Nru aespipe-2.4d/debian/rules aespipe-2.4d/debian/rules
--- aespipe-2.4d/debian/rules   2016-11-10 23:50:56.0 +
+++ aespipe-2.4d/debian/rules   2022-12-08 17:14:21.0 +
@@ -1,22 +1,15 @@
 #!/usr/bin/make -f
 #export DH_VERBOSE=1
 
-CFLAGS = -Wall -g
+export DEB_BUILD_MAINT_OPTIONS=hardening=-pie 
reproducible=-fixfilepath,+fixdebugpath
+
+DPKG_EXPORT_BUILDFLAGS = 1
+include /usr/share/dpkg/buildflags.mk 
+
 DEB_HOST_ARCH   ?= $(shell dpkg-architecture -qDEB_HOST_ARCH)
 DEB_HOST_GNU_TYPE   ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
 DEB_BUILD_GNU_TYPE  ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
 
-ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
-   CFLAGS += -O0
-else
-# needed because of gcc-4.0 problems (#325131)
-ifneq (,$(filter $(DEB_HOST_ARCH),arm hppa))
-   CFLAGS += -O1
-else
-   CFLAGS += -O2
-endif
-endif
-
 ifeq ($(DEB_HOST_ARCH),amd64)
DEBIAN_OPTIMIZE := amd64
 endif
@@ -25,16 +18,13 @@
DEBIAN_OPTIMIZE := x86
 endif
 
-CFLAGS += -no-pie
-LDFLAGS += -no-pie
-
 config.status: configure
dh_testdir
 
ln -sf /usr/share/misc/config.sub .
ln -sf /usr/share/misc/config.guess .
 
-   CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" ./configure \
+   ./configure \
  --host=$(DEB_HOST_GNU_TYPE) \
  --build=$(DEB_BUILD_GNU_TYPE) \
  --prefix=/usr \

Bug#1020809: aespipe: reproducible-builds: build path embedded in /usr/bin/aespipe

[Vagrant Cascadian]

Source: aespipe
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: buildpath
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

The build path is embedded in /usr/bin/pbyacc:

  
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/aespipe.html

  /build/1st/aespipe-20050907/aespipe.c:181
  vs.
  /build/2/aespipe-20050907/2nd/aespipe.c:181

The attached patch to debian/rules fixes this by adding
-ffile-prefix-map and --debug-prefix-map to CFLAGS.

According to my local tests, with this patch applied aespipe should
build reproducibly on tests.reproducible-builds.org!

Thanks for maintaining aespipe!

live well,
  vagrant
From 631531afe7d566abdf80b2a9fbcf31686ee46ca1 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian 
Date: Tue, 27 Sep 2022 00:30:50 +
Subject: [PATCH] debian/rules: Pass -ffile-prefix-map and --debug-prefix-map
 via CFLAGS to avoid embedding the build path.

https://reproducible-builds.org/docs/build-path/
---
 debian/rules | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/rules b/debian/rules
index 36b04ad..94a4765 100755
--- a/debian/rules
+++ b/debian/rules
@@ -28,6 +28,9 @@ endif
 CFLAGS += -no-pie
 LDFLAGS += -no-pie
 
+# Avoid ebmedding build path in the binaries for reproducible builds
+CFLAGS += -ffile-prefix-map=$(CURDIR)=. --debug-prefix-map=$(CURDIR)=.
+
 config.status: configure
 	dh_testdir
 
-- 
2.37.2



signature.asc
Description: PGP signature