From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp12.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms5.migadu.com with LMTPS
	id WCatENuunmK+uwAAbAwnHQ
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 07 Jun 2022 03:50:19 +0200
Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp12.migadu.com with LMTPS
	id 2BKRENuunmKB0QAAauVa8A
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 07 Jun 2022 03:50:19 +0200
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id E0BF710D91
	for <larch@yhetil.org>; Tue,  7 Jun 2022 03:50:18 +0200 (CEST)
Received: from localhost ([::1]:39756 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1nyOMM-0002ne-20
	for larch@yhetil.org; Mon, 06 Jun 2022 21:50:18 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:53180)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <vagrant@reproducible-builds.org>)
 id 1nyOLm-0002nE-RU
 for guix-devel@gnu.org; Mon, 06 Jun 2022 21:49:42 -0400
Received: from cascadia.aikidev.net ([173.255.214.101]:44624)
 by eggs.gnu.org with esmtp (Exim 4.90_1)
 (envelope-from <vagrant@reproducible-builds.org>) id 1nyOLk-0000D5-RL
 for guix-devel@gnu.org; Mon, 06 Jun 2022 21:49:42 -0400
Received: from localhost (unknown [IPv6:2600:3c01:e000:21:7:77:0:20])
 (Authenticated sender: vagrant@aikidev.net)
 by cascadia.aikidev.net (Postfix) with ESMTPSA id F40ED1AAD8
 for <guix-devel@gnu.org>; Mon,  6 Jun 2022 18:49:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=reproducible-builds.org; s=1.vagrant; t=1654566579;
 bh=u+84//sjJdQ/IZ6brlPniUDQ7WTe2f+wOu7LD2k1QNE=;
 h=From:To:Subject:Date:From;
 b=2umnR2vRiQHKjToaVPGazdoyfynz4JUsbZRh9pSbp24PiW8ekX845VU9Up/3Ib/ug
 UlrA7IyerAGZpShwKi7cICiiJbBvlvanSt8UD8kqefwsZxgwFLLuogE03rZg/ybMhD
 2+PfxqgjKJZfllTHAHJ3IbTeS9ycJTiSaD2ChirR4QYq7mOwpYxwo9JZFe9NjqwBj/
 40Gjb9qjqky+ug0D2osjGc85UoUQovn6QY5DkyTsIcLBGj+mzOG6TWQpnKmklAmBA8
 doyyZwibTAbc0TE47EeulSFDzOocr6i9sJexF6biY3/x+S/adUmdF9iwurL3DMkfHc
 DrKHGVMYYK/Zw==
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: Guix Devel <guix-devel@gnu.org>
Subject: maradns reproducibility fixes and the merits of picking a random
 number
Date: Mon, 06 Jun 2022 18:49:34 -0700
Message-ID: <87pmjlfdjl.fsf@contorta>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: none client-ip=173.255.214.101;
 envelope-from=vagrant@reproducible-builds.org; helo=cascadia.aikidev.net
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001,
 SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: guix-devel@gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Development of GNU Guix and the GNU System distribution."
 <guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
 <mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Migadu-To: larch@yhetil.org
X-Migadu-Country: US
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1654566619;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=LvtfRiTXnaFwjz0vm87RNjylV0z32Q0D92ZqAfSYkw4=;
	b=YhiXSfpwha4OFy8KG5gVTnA47MzB2+U9+kuYdI0JjIcFkZJlfFyoxznNA0b7a71o+td0op
	8OKUTyUOFhKQuakBeGeHd+MVRu3l1/vsFq9bPMtUgIC9dv1VCpcHQtK4Wy/vKDiTS2hear
	J/EBbrmaTUzaHg+JMAylw4xyGgWVx/09A/8QzCi3qOcRpPTbwMU5NaHLneAqKaw6aQ9vId
	VJvtsmPO8e5TWG4gpP/mGYYMK2l5HZeWwwB6YE7nQ6qvgmRz3yeYe6CtyH+7CWGgb/TwTk
	VZE8aqJ4yJ4cRpXtl9UpAJwcKVpiCy81j7omtyEX5HwMKvpACpkgnngc7bFDJA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1654566619; a=rsa-sha256; cv=none;
	b=rs6nh39EOCvhlDXj6uP4HFY2pT7ekWKu80d3/WpROsBG/mEf7DTnC1VlSZbMyoQBpt5Zyq
	Od0APex2XjSSPBH4VkCqsxUjmf06tWnpj/b1idl7gpGOEFmBRQ4R34NeV66cRdgpkLoAiX
	56IsYoNtgV7OJpS6S73Z3sLkWUQxCiFlTnTOAawGnWEN7RahxDeF7qoN1HrLCO8eNlesQg
	kXDhWL0gDk4D2TTAAibD+uj4fGfCT/nqD39ymhuEkEWVTvsoamGolVXDXKhImaPsE0P5Qi
	jQxk9dMu0WbzsQ3oxWlLcqXEh1sT3qDQc5qKI/mSCYgLBRP2enz3uSfvWpK91Q==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=reproducible-builds.org header.s=1.vagrant header.b=2umnR2vR;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Spam-Score: -6.91
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=reproducible-builds.org header.s=1.vagrant header.b=2umnR2vR;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"
X-Migadu-Queue-Id: E0BF710D91
X-Spam-Score: -6.91
X-Migadu-Scanner: scn0.migadu.com
X-TUID: e5QfDy5yKyVc

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

So, I've got a fix for the reproducibility issues for maradns... part of
the fixes are fairly obvious, setting a specific date and setting the
version to be, well, the version...

But there's one nervous-making issue this revealed; maradns embeds a
random number at build time ... allegedly for systems that don't have
/dev/urandom... see
maradns-3.5.0020/deadwood-3.5.0020/src/Makefile.ubuntu2004:

  # Since some systems may not have /dev/urandom (Windows, *cough* *cough*)=
, we
  # keep a randomly generated prime around

So it's got some code to generate a random number at build time and
embed it in the binary. Now, if there's anything I know about good
practices about random numbers, this sort of thing is generally a very
large red flag! It also makes the package build differently every time!

So, Debian's maradns package just removes this embedding of a "random"
number, and I've basically adapted their patches to build reproducibly
on guix too... by basically embedding the same "random" number every
single build!

That said, hopefully it actually uses /dev/urandom and this is just a
fallback for when /dev/urandom is missing? Is that actually how this is
supposed to work? Is that actually how the code does work? If that's the
case, I think the following patch should work ok on Guix.

But I wanted some extra eyes on this before pushing...

live well,
  vagrant

p.s. Obviously, I picked the best random number.

From=20a2e10d39de37c363b25f06dbb275e2bf6d614b7c Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Sun, 5 Jun 2022 13:57:27 -0700
Subject: [PATCH 3/3] gnu: maradns: Build reproducibly.

* gnu/packages/patches/maradns-deadwood-do-not-embed-random-number.patch: N=
ew
  file.
* gnu/local.mk (dist_patch_DATA): Add patch.
* gnu/package/dns.scm (maradns)[source]: Add patch.
  [arguments]: Pass VERSION and COMPILED via makeflags.
=2D--
 gnu/local.mk                                  |  1 +
 gnu/packages/dns.scm                          |  7 +++-
 ...-deadwood-do-not-embed-random-number.patch | 38 +++++++++++++++++++
 3 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 gnu/packages/patches/maradns-deadwood-do-not-embed-rand=
om-number.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 68b317b32a..ff1135e48e 100644
=2D-- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1471,6 +1471,7 @@ dist_patch_DATA =3D						\
   %D%/packages/patches/lvm2-static-link.patch			\
   %D%/packages/patches/mailutils-variable-lookup.patch		\
   %D%/packages/patches/make-impure-dirs.patch			\
+  %D%/packages/patches/maradns-deadwood-do-not-embed-random-number.patch	\
   %D%/packages/patches/mariadb-link-libatomic.patch		\
   %D%/packages/patches/mars-install.patch			\
   %D%/packages/patches/mars-sfml-2.3.patch			\
diff --git a/gnu/packages/dns.scm b/gnu/packages/dns.scm
index fea255c930..39268ddfcf 100644
=2D-- a/gnu/packages/dns.scm
+++ b/gnu/packages/dns.scm
@@ -1302,7 +1302,10 @@ (define-public maradns
                            (version-major+minor version) "/"
                            version "/maradns-" version ".tar.xz"))
        (sha256
=2D        (base32 "1qgabw6y2bwy6y88dikis62k789i0xh7iwxan8jmqpzvksqwjfgw"))=
))
+        (base32 "1qgabw6y2bwy6y88dikis62k789i0xh7iwxan8jmqpzvksqwjfgw"))
+       (patches
+        (search-patches
+         "maradns-deadwood-do-not-embed-random-number.patch"))))
     (build-system gnu-build-system)
     (arguments
      `(#:tests? #f                      ; need to be root to run tests
@@ -1310,6 +1313,8 @@ (define-public maradns
        (list
         ,(string-append "CC=3D" (cc-for-target))
         (string-append "PREFIX=3D" %output)
+        (string-append "COMPILED=3D" "2012-04-18")
+        (string-append "VERSION=3D" ,version)
         (string-append "RPM_BUILD_ROOT=3D" %output))
        #:phases
        (modify-phases %standard-phases
diff --git a/gnu/packages/patches/maradns-deadwood-do-not-embed-random-numb=
er.patch b/gnu/packages/patches/maradns-deadwood-do-not-embed-random-number=
.patch
new file mode 100644
index 0000000000..7e51e79259
=2D-- /dev/null
+++ b/gnu/packages/patches/maradns-deadwood-do-not-embed-random-number.patch
@@ -0,0 +1,38 @@
+Adapted from https://sources.debian.org/src/maradns/2.0.13-1.4/debian/patc=
hes/deadwood_makefile.patch/
+
+diff --git a/deadwood-3.5.0020/src/Makefile.ubuntu2004 b/deadwood-3.5.0020=
/src/Makefile.ubuntu2004
+index 62868aa..2c8c094 100644
+--- a/deadwood-3.5.0020/src/Makefile.ubuntu2004
++++ b/deadwood-3.5.0020/src/Makefile.ubuntu2004
+@@ -29,13 +29,10 @@ all:	Deadwood version.h
+ #
+=20
+ clean:
+-	rm -f Test DwMain DwTcp *.exe *.o a.out RandomPrime writehash_test* \
+-		Deadwood foo* dw_cache DwHash DwCompress *stackdump \
+-		core ; \
+-		./make.version.h ; if [ -e /dev/urandom ] ; \
+-			then rm DwRandPrime.h  ; \
+-			cc RandomPrime.c ; ./a.out > DwRandPrime.h ; rm a.out \
+-		; fi=20
++	rm -f Test DwMain DwTcp *.exe *.o a.out writehash_test* \
++		Deadwood foo* dw_cache DwHash DwCompress *stackdump core
++
++
+=20
+ version.h:=09
+ 	./make.version.h
+@@ -67,11 +64,8 @@ DwSocket.o:	DwSocket.c DwStr.h DwSocket.h
+ DwSys.o:	DwSys.c DwStr.h version.h
+ 	$(CC) $(FLAGS) -Wall -c -o DwSys.o DwSys.c
+=20
+-RandomPrime:	RandomPrime.c
+-	$(CC) -O3 -o RandomPrime RandomPrime.c
+-
+-DwRandPrime.h: RandomPrime
+-	if [ -e /dev/urandom ] ; then ./RandomPrime > DwRandPrime.h ; fi
++DwRandPrime.h:
++	echo '#define MUL_CONSTANT 1238145941' > DwRandPrime.h
+=20
+ DwHash.o:	DwHash.c DwStr.h DwRandPrime.h DwHash.h
+ 	$(CC) $(FLAGS) -Wall -c -o DwHash.o DwHash.c
=2D-=20
2.35.1


--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYp6urwAKCRDcUY/If5cW
qsd3AQCXePVTLhex1jsZzzeCk1ixMdou0taBeDAQ88WE6Bef+AD/RY92r/o2misd
28lto2r7rb97d2xE4qhGzIdKVLjOkAg=
=uRVp
-----END PGP SIGNATURE-----
--=-=-=--