[Pkg-cmake-team] Bug#1019136: cmake injects randomly named dummy function to output binary and it breaks reproducible build
yokota
yokota.hgml at gmail.com
Sun Sep 4 13:28:01 BST 2022
Package: cmake
Version: 3.24.1-1
Severity: normal
X-Debbugs-Cc: yokota.hgml at gmail.com
Dear Maintainer,
Current CMake (3.24.1) injects randomly named dummy function to output binary.
Output binary works well, but this issue breaks reproducible build.
Injected code can be examine from here:
https://salsa.debian.org/cmake-team/cmake/-/blob/debian/3.24.1-1/Source/cmQtAutoMocUic.cxx#L2177
```c++
// Placeholder content
cmCryptoHash hash(cmCryptoHash::AlgoSHA256);
const std::string hashedPath = hash.HashString(compAbs);
const std::string functionName =
"cmake_automoc_silence_linker_warning" + hashedPath;
content += "// No files found that require moc or the moc files are "
"included\n"
"void " +
functionName + "() {}\n";
```
Randomly named dummy function was generated from absolute path name and SHA256.
Absolute path name might be vary in each development machines because
source code will be placed in each developer's own path.
So, this feature generates non-deterministic output, and breaks
reproducible build.
Here is issue about this feature in upstream:
https://gitlab.kitware.com/cmake/cmake/-/issues/23551
And merge request:
https://gitlab.kitware.com/cmake/cmake/-/merge_requests/7558
This bug will break Debian "calibre" package from reproducible build.
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/calibre.html
I want to make Debian "calibre" package to reproducible.
--
YOKOTA Hiroshi
More information about the Pkg-cmake-team
mailing list