From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: bug#27563: [PATCH v3 2/2] gnu: ghostscript: Write document ID only when encrypting. Date: Fri, 7 Jul 2017 13:24:07 -0400 Message-ID: <20170707172407.GA28712@jasmine.lan> References: <20170703200844.3f6d9e19@scratchpost.org> <20170706103216.25939-1-dannym@scratchpost.org> <20170706103216.25939-3-dannym@scratchpost.org> <87podca20z.fsf@gnu.org> <20170707152149.3235f3aa@scratchpost.org> <20170707162151.GA17441@jasmine.lan> <20170707184225.4279f1cd@scratchpost.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:50069) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dTX06-0002Lk-V7 for bug-guix@gnu.org; Fri, 07 Jul 2017 13:25:08 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dTX02-0001q7-Vb for bug-guix@gnu.org; Fri, 07 Jul 2017 13:25:06 -0400 Received: from debbugs.gnu.org ([208.118.235.43]:54323) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1dTX02-0001py-RV for bug-guix@gnu.org; Fri, 07 Jul 2017 13:25:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1dTX02-0007bZ-ER for bug-guix@gnu.org; Fri, 07 Jul 2017 13:25:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Content-Disposition: inline In-Reply-To: <20170707184225.4279f1cd@scratchpost.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Danny Milosavljevic Cc: 27563@debbugs.gnu.org --OgqxwSJOaUobr8KG Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 07, 2017 at 06:42:25PM +0200, Danny Milosavljevic wrote: > Leo Famulari wrote: > > > That leaves the document UUID - and upstream, in some of the other > > I think the lowest risk is to do nothing to Ghostscript and move the PDF > > documentation to a separate 'doc' output. Then, we could have > > reproducible binaries and ignore the PDF issues for now. Does anyone > > know how many packages include PDF documentation built with Ghostscript? >=20 > Aren't the derivations of the doc outputs still a problem? For > example, Hydra will run out of space sooner or later because it keeps > building them, right? Do these timestamps and UUID affect the derivations? I figured they only affected the result of running the derivation =E2=80=94 that is, the output= of the build process. Those outputs are what we'd like to create reproducibly, but they don't cause rebuilds if they are not reproducible. If a package's dependency graph is identical to before, Guix (and I assume Hydra) will not rebuild it, even if we humans know that the built output is unreproducible, such as when timestamps are embedded. My apologies if I misinterpreted your question. We run out of space and have to garbage collect periodically anyways. Regardless, once we own the Hydra machine, I'd like for us to buy a huge amount of storage and keep built outputs for much longer than we do now. In practice, it's not really possible to go back in time more than 6 months of Guix, due to missing upstream sources and test suites with expiration dates. > > 2) At least some of the patches in the related Ghostscript discussions > > seem to be proof of concepts rather than finished code: > > https://bugs.ghostscript.com/show_bug.cgi?id=3D697484#c3 > > So, if these patches came from there, we'd want to be extra careful. >=20 > No, I wrote the ones here without external sources (except for the > direct discussion on my newish upstream bug report, and the PDF and > XMP specifications - whatever worth they have). Ah, thanks for the clarification. > > By the way, this is the patch used for Debian's latest Ghostscript > > package: > >=20 > > https://anonscm.debian.org/git/printing/ghostscript.git/tree/debian/pat= ches/2010_add_build_timestamp_setting.patch?id=3De2bf3ad7026afe13636d493743= 0c3fdae7854078 > >=20 > > That patch was not reviewed on a public forum, at least nothing I can > > find with Google. Again, I'd want to get the Ghostscript team's advice. >=20 > On such an approach they advised that we should only generate *unique* > UUIDs. But the UUIDs are generated from these times. So that linked > patch would generate multiple non-unique uuids on systems. >=20 > That's why I removed the entire UUID and Time sections and actually > didn't fiddle with the ghostscript-internal times at all. Builds > reproducibly. >=20 > I wonder how many packages actually use the ghostscript pdf writer > too. How to find that out? >=20 > Note that groff itself also fails to build reproducibly without the > patches. >=20 > In any case, the patch 2/2 is quite tame (it looks scary because of > the printf splitting, but it's actually just either leaving "/ID[...]" > off or not, globally). >=20 > But I understand that it would be even easier to do nothing. Wouldn't > make the stuff reproducible, though. >=20 > I'd vote for an environment variable to disable UUID printing and also > Time header printing. That way it would do everything normally in > regular usage - but when used in packages, it would just not *print* > the problematic stuff. No internal state is changed at all by the > patches. Okay, thank you for explaining this (especially if you already explained it! It's hard to join a conversation like this halfway through). I'll read your patches carefully later today. --OgqxwSJOaUobr8KG Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAllfw7MACgkQJkb6MLrK fwiR+Q/8DVSWrRDErg8LfsRA348/vdlzKzEKNt+SnqxwJpsX2N3m2tmYceGKf5rJ U4lAVIqSQAhH6P9ASg5bo3bUcXTwUjFBUATZHB/w0IEQlSI9gjrVKaJMK/tbb4Er UqlO1Odw2k54JdyGa/ywGIlTia+wpVG7166BqGhGJULjXqtidueHLlE7trRZXAWs MEUIdvfrt1lwjoMiIV17i6g0CTmZRAPKQMEUws5pTwO+uG2soVOvJp+4bFMm19Rz QYFN3rO1BzJJTrp0znBg/NLGcq+awJhD3sy8thHjmaesNYmkpcxx2p7aJ6W8vEI2 lQN1jFpWaD78Snjb+Mwbf3wwBKh7+c5B4ok9PCNEoPGQXURDaRQPMQyfghlgxfof UiNR1JDmQKGhg8hptNodA1sWJrp/3zD+Z8kYu1n8bYzbL/FAUYaBWbD1QWJZxrcG gXgZrLJ8VcRQ8jLXvf22VUqCxHyMyt0sWBfVv64K0QUcEe5RoS/AR0pwq1ThUH8+ QCAcwwtsPM8GNUEN9fHwMdhU1X6qolCzUpMquh3bejLaQCDsCAHIGRUrUd5FizhA LYEmy053NytI8cOiMiXCbX1JfUvmxPQyYkLheDJF0bTvvCbnNHP+XfCkeR9GXmbk cmVt33xTXPMAqELwFx8o2qsCuhZUWlg/2sCZ+d1Ks9HednXGLCU= =6rDT -----END PGP SIGNATURE----- --OgqxwSJOaUobr8KG--