Bug#1034199: lomiri: reproducible builds: temporary directories embedded in .sh files

[Vagrant Cascadian]

Source: lomiri
Severity: normal
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: randomness
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org

The files in the lomiri tarball appear to be in arbitrary order,
possibly affected by locale or filesystem differences:

  https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/lomiri.html

  /usr/libexec/lomiri/tests/scripts/gdbtestLomiriSortFilterProxyModel.sh

  export·HOME=/tmp/tmp.RvWPuq0Oob
  vs.
  export·HOME=/tmp/tmp.lLVsKmMCrB

The attached patch to an upstream CMakeLists.txt file fixes this by
specifying HOME=/nonexistent.

I have not tested that this actually functions correctly, only that it
fixes the reproducibility issue... however, relying on HOME being set to
a temporary directory at build time is a bit of a security risk (as
anyone can write to /tmp)... an alternate fix might be using mktemp -d
at runtime rather than build time?


According to my local tests, applying this patch (and another soon to be
submitted) should make lomiri build reproducibly on
tests.reproducible-builds.org once lomiri lands in debian testing!
(tests for debian unstable/experimental also test build path variations,
which introduce additional issues)


Thanks for maintaining lomiri!


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-tests-plugins-Utils-CMakeLists.txt-Avoid-embedding-a.patch
Type: text/x-diff
Size: 951 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20230410/1f780798/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20230410/1f780798/attachment.sig>