From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id WCatENuunmK+uwAAbAwnHQ (envelope-from ) for ; Tue, 07 Jun 2022 03:50:19 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id 2BKRENuunmKB0QAAauVa8A (envelope-from ) for ; Tue, 07 Jun 2022 03:50:19 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E0BF710D91 for ; Tue, 7 Jun 2022 03:50:18 +0200 (CEST) Received: from localhost ([::1]:39756 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nyOMM-0002ne-20 for larch@yhetil.org; Mon, 06 Jun 2022 21:50:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53180) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nyOLm-0002nE-RU for guix-devel@gnu.org; Mon, 06 Jun 2022 21:49:42 -0400 Received: from cascadia.aikidev.net ([173.255.214.101]:44624) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nyOLk-0000D5-RL for guix-devel@gnu.org; Mon, 06 Jun 2022 21:49:42 -0400 Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:20]) (Authenticated sender: vagrant@aikidev.net) by cascadia.aikidev.net (Postfix) with ESMTPSA id F40ED1AAD8 for ; Mon, 6 Jun 2022 18:49:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=reproducible-builds.org; s=1.vagrant; t=1654566579; bh=u+84//sjJdQ/IZ6brlPniUDQ7WTe2f+wOu7LD2k1QNE=; h=From:To:Subject:Date:From; b=2umnR2vRiQHKjToaVPGazdoyfynz4JUsbZRh9pSbp24PiW8ekX845VU9Up/3Ib/ug UlrA7IyerAGZpShwKi7cICiiJbBvlvanSt8UD8kqefwsZxgwFLLuogE03rZg/ybMhD 2+PfxqgjKJZfllTHAHJ3IbTeS9ycJTiSaD2ChirR4QYq7mOwpYxwo9JZFe9NjqwBj/ 40Gjb9qjqky+ug0D2osjGc85UoUQovn6QY5DkyTsIcLBGj+mzOG6TWQpnKmklAmBA8 doyyZwibTAbc0TE47EeulSFDzOocr6i9sJexF6biY3/x+S/adUmdF9iwurL3DMkfHc DrKHGVMYYK/Zw== From: Vagrant Cascadian To: Guix Devel Subject: maradns reproducibility fixes and the merits of picking a random number Date: Mon, 06 Jun 2022 18:49:34 -0700 Message-ID: <87pmjlfdjl.fsf@contorta> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: none client-ip=173.255.214.101; envelope-from=vagrant@reproducible-builds.org; helo=cascadia.aikidev.net X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1654566619; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=LvtfRiTXnaFwjz0vm87RNjylV0z32Q0D92ZqAfSYkw4=; b=YhiXSfpwha4OFy8KG5gVTnA47MzB2+U9+kuYdI0JjIcFkZJlfFyoxznNA0b7a71o+td0op 8OKUTyUOFhKQuakBeGeHd+MVRu3l1/vsFq9bPMtUgIC9dv1VCpcHQtK4Wy/vKDiTS2hear J/EBbrmaTUzaHg+JMAylw4xyGgWVx/09A/8QzCi3qOcRpPTbwMU5NaHLneAqKaw6aQ9vId VJvtsmPO8e5TWG4gpP/mGYYMK2l5HZeWwwB6YE7nQ6qvgmRz3yeYe6CtyH+7CWGgb/TwTk VZE8aqJ4yJ4cRpXtl9UpAJwcKVpiCy81j7omtyEX5HwMKvpACpkgnngc7bFDJA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1654566619; a=rsa-sha256; cv=none; b=rs6nh39EOCvhlDXj6uP4HFY2pT7ekWKu80d3/WpROsBG/mEf7DTnC1VlSZbMyoQBpt5Zyq Od0APex2XjSSPBH4VkCqsxUjmf06tWnpj/b1idl7gpGOEFmBRQ4R34NeV66cRdgpkLoAiX 56IsYoNtgV7OJpS6S73Z3sLkWUQxCiFlTnTOAawGnWEN7RahxDeF7qoN1HrLCO8eNlesQg kXDhWL0gDk4D2TTAAibD+uj4fGfCT/nqD39ymhuEkEWVTvsoamGolVXDXKhImaPsE0P5Qi jQxk9dMu0WbzsQ3oxWlLcqXEh1sT3qDQc5qKI/mSCYgLBRP2enz3uSfvWpK91Q== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=reproducible-builds.org header.s=1.vagrant header.b=2umnR2vR; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -6.91 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=reproducible-builds.org header.s=1.vagrant header.b=2umnR2vR; dmarc=none; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: E0BF710D91 X-Spam-Score: -6.91 X-Migadu-Scanner: scn0.migadu.com X-TUID: e5QfDy5yKyVc --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable So, I've got a fix for the reproducibility issues for maradns... part of the fixes are fairly obvious, setting a specific date and setting the version to be, well, the version... But there's one nervous-making issue this revealed; maradns embeds a random number at build time ... allegedly for systems that don't have /dev/urandom... see maradns-3.5.0020/deadwood-3.5.0020/src/Makefile.ubuntu2004: # Since some systems may not have /dev/urandom (Windows, *cough* *cough*)= , we # keep a randomly generated prime around So it's got some code to generate a random number at build time and embed it in the binary. Now, if there's anything I know about good practices about random numbers, this sort of thing is generally a very large red flag! It also makes the package build differently every time! So, Debian's maradns package just removes this embedding of a "random" number, and I've basically adapted their patches to build reproducibly on guix too... by basically embedding the same "random" number every single build! That said, hopefully it actually uses /dev/urandom and this is just a fallback for when /dev/urandom is missing? Is that actually how this is supposed to work? Is that actually how the code does work? If that's the case, I think the following patch should work ok on Guix. But I wanted some extra eyes on this before pushing... live well, vagrant p.s. Obviously, I picked the best random number. From=20a2e10d39de37c363b25f06dbb275e2bf6d614b7c Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Sun, 5 Jun 2022 13:57:27 -0700 Subject: [PATCH 3/3] gnu: maradns: Build reproducibly. * gnu/packages/patches/maradns-deadwood-do-not-embed-random-number.patch: N= ew file. * gnu/local.mk (dist_patch_DATA): Add patch. * gnu/package/dns.scm (maradns)[source]: Add patch. [arguments]: Pass VERSION and COMPILED via makeflags. =2D-- gnu/local.mk | 1 + gnu/packages/dns.scm | 7 +++- ...-deadwood-do-not-embed-random-number.patch | 38 +++++++++++++++++++ 3 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/maradns-deadwood-do-not-embed-rand= om-number.patch diff --git a/gnu/local.mk b/gnu/local.mk index 68b317b32a..ff1135e48e 100644 =2D-- a/gnu/local.mk +++ b/gnu/local.mk @@ -1471,6 +1471,7 @@ dist_patch_DATA =3D \ %D%/packages/patches/lvm2-static-link.patch \ %D%/packages/patches/mailutils-variable-lookup.patch \ %D%/packages/patches/make-impure-dirs.patch \ + %D%/packages/patches/maradns-deadwood-do-not-embed-random-number.patch \ %D%/packages/patches/mariadb-link-libatomic.patch \ %D%/packages/patches/mars-install.patch \ %D%/packages/patches/mars-sfml-2.3.patch \ diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm index fea255c930..39268ddfcf 100644 =2D-- a/gnu/packages/dns.scm +++ b/gnu/packages/dns.scm @@ -1302,7 +1302,10 @@ (define-public maradns (version-major+minor version) "/" version "/maradns-" version ".tar.xz")) (sha256 =2D (base32 "1qgabw6y2bwy6y88dikis62k789i0xh7iwxan8jmqpzvksqwjfgw"))= )) + (base32 "1qgabw6y2bwy6y88dikis62k789i0xh7iwxan8jmqpzvksqwjfgw")) + (patches + (search-patches + "maradns-deadwood-do-not-embed-random-number.patch")))) (build-system gnu-build-system) (arguments `(#:tests? #f ; need to be root to run tests @@ -1310,6 +1313,8 @@ (define-public maradns (list ,(string-append "CC=3D" (cc-for-target)) (string-append "PREFIX=3D" %output) + (string-append "COMPILED=3D" "2012-04-18") + (string-append "VERSION=3D" ,version) (string-append "RPM_BUILD_ROOT=3D" %output)) #:phases (modify-phases %standard-phases diff --git a/gnu/packages/patches/maradns-deadwood-do-not-embed-random-numb= er.patch b/gnu/packages/patches/maradns-deadwood-do-not-embed-random-number= .patch new file mode 100644 index 0000000000..7e51e79259 =2D-- /dev/null +++ b/gnu/packages/patches/maradns-deadwood-do-not-embed-random-number.patch @@ -0,0 +1,38 @@ +Adapted from https://sources.debian.org/src/maradns/2.0.13-1.4/debian/patc= hes/deadwood_makefile.patch/ + +diff --git a/deadwood-3.5.0020/src/Makefile.ubuntu2004 b/deadwood-3.5.0020= /src/Makefile.ubuntu2004 +index 62868aa..2c8c094 100644 +--- a/deadwood-3.5.0020/src/Makefile.ubuntu2004 ++++ b/deadwood-3.5.0020/src/Makefile.ubuntu2004 +@@ -29,13 +29,10 @@ all: Deadwood version.h + # +=20 + clean: +- rm -f Test DwMain DwTcp *.exe *.o a.out RandomPrime writehash_test* \ +- Deadwood foo* dw_cache DwHash DwCompress *stackdump \ +- core ; \ +- ./make.version.h ; if [ -e /dev/urandom ] ; \ +- then rm DwRandPrime.h ; \ +- cc RandomPrime.c ; ./a.out > DwRandPrime.h ; rm a.out \ +- ; fi=20 ++ rm -f Test DwMain DwTcp *.exe *.o a.out writehash_test* \ ++ Deadwood foo* dw_cache DwHash DwCompress *stackdump core ++ ++ +=20 + version.h:=09 + ./make.version.h +@@ -67,11 +64,8 @@ DwSocket.o: DwSocket.c DwStr.h DwSocket.h + DwSys.o: DwSys.c DwStr.h version.h + $(CC) $(FLAGS) -Wall -c -o DwSys.o DwSys.c +=20 +-RandomPrime: RandomPrime.c +- $(CC) -O3 -o RandomPrime RandomPrime.c +- +-DwRandPrime.h: RandomPrime +- if [ -e /dev/urandom ] ; then ./RandomPrime > DwRandPrime.h ; fi ++DwRandPrime.h: ++ echo '#define MUL_CONSTANT 1238145941' > DwRandPrime.h +=20 + DwHash.o: DwHash.c DwStr.h DwRandPrime.h DwHash.h + $(CC) $(FLAGS) -Wall -c -o DwHash.o DwHash.c =2D-=20 2.35.1 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYp6urwAKCRDcUY/If5cW qsd3AQCXePVTLhex1jsZzzeCk1ixMdou0taBeDAQ88WE6Bef+AD/RY92r/o2misd 28lto2r7rb97d2xE4qhGzIdKVLjOkAg= =uRVp -----END PGP SIGNATURE----- --=-=-=--