[Pkg-cmake-team] Bug#1019136: cmake injects randomly named dummy function to output binary and it breaks reproducible build

yokota yokota.hgml at gmail.com
Sun Sep 4 13:28:01 BST 2022


Package: cmake
Version: 3.24.1-1
Severity: normal
X-Debbugs-Cc: yokota.hgml at gmail.com

Dear Maintainer,

Current CMake (3.24.1) injects randomly named dummy function to output binary.
Output binary works well, but this issue breaks reproducible build.

Injected code can be examine from here:
  https://salsa.debian.org/cmake-team/cmake/-/blob/debian/3.24.1-1/Source/cmQtAutoMocUic.cxx#L2177
```c++
    // Placeholder content
    cmCryptoHash hash(cmCryptoHash::AlgoSHA256);
    const std::string hashedPath = hash.HashString(compAbs);

    const std::string functionName =
      "cmake_automoc_silence_linker_warning" + hashedPath;
    content += "// No files found that require moc or the moc files are "
               "included\n"
               "void " +
      functionName + "() {}\n";
```

Randomly named dummy function was generated from absolute path name and SHA256.
Absolute path name might be vary in each development machines because
source code will be placed in each developer's own path.
So, this feature generates non-deterministic output, and breaks
reproducible build.

Here is issue about this feature in upstream:
  https://gitlab.kitware.com/cmake/cmake/-/issues/23551
And merge request:
  https://gitlab.kitware.com/cmake/cmake/-/merge_requests/7558

This bug will break Debian "calibre" package from reproducible build.
  https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/calibre.html

I want to make Debian "calibre" package to reproducible.

--
YOKOTA Hiroshi



More information about the Pkg-cmake-team mailing list