[Debian-med-packaging] Bug#1037272: gbrowse: reproducible builds: random value in /etc/gbrowse/ConfigData.pm
Vagrant Cascadian
vagrant at reproducible-builds.org
Sat Jun 10 00:29:25 BST 2023
Source: gbrowse
Severity: normal
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
The OpenIDConsumerSecret in /etc/gbrowse/ConfigData.pm is a randomized value:
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/gbrowse.html
'OpenIDConsumerSecret'·=>·'867318970136679',
vs.
'OpenIDConsumerSecret'·=>·'940203427089713',
The attached patch to Build.PL fixes this by initializing the random
seed using the SOURCE_DATE_EPOCH environment variable.
If this is really a secret, all debian users using the same package will
share the same secret, so there may be some security implications!
A better approach might be to generate this value at run time or package
installation time, but I do not know enough about how gbrowse uses this
to propose a specific approach.
Unfortunately, this is not the only reproducibility issue affecting
gbrowse, but applying this patch should make it easier to troubleshoot
the remaining issues.
Thanks for maintaining gbrowse!
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Build.PL-Seed-random-number-generator-with-SOURCE_DA.patch
Type: text/x-diff
Size: 743 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20230609/68a3ade9/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/debian-med-packaging/attachments/20230609/68a3ade9/attachment.sig>
More information about the Debian-med-packaging
mailing list