Bug#1088144: cdbs: please remove support for dh-buildinfo, superseded by .buildinfo

Sat Nov 23 20:33:50 GMT 2024

Source: cdbs
Severity: normal
Tags: patch
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
User: reproducible-builds at lists.alioth.debian.org
Usertags: toolchain

Dear Maintainer,

I'm an occasional volunteer contributor to the Reproducible Builds[1] project,
and noticed recently that a reasonably large (1000+) number of Haskell packages
fail to rebuild deterministically according to the https://reproduce.debian.net
test infrastructure.

I believe that the cause relates to the fact that the affected packages use the
cdbs build system, often by means of include statements in their rules files,
when build their documentation binary packages (*-doc).

In particular, a default-enabled call to dh-buildinfo in the debhelper.mk.in
template[2] inhibits rebuild reproducibility for the packages, because the
'buildinfo_*.gz' files produced in the resulting output Debian binary packages
contain package-and-version information from the build host -- particularly
Essential set packages -- that may change over time despite having no influence
on other content in the binary documentation package.

I discovered this after attempting a local rebuild of src:haskell-time-parsers
and finding that the 'login' package mentioned in the 'buildinfo_all.gz' file
was different between my local libghc-time-parsers-doc_0.2-2_all.deb build
output and the version of that file hosted in the Debian archive.

The preferred format[4] to declare the relevant set of build dependencies to
(re)construct a Debian binary package identically from source is .buildinfo[5],
and I believe that this offers a replacement for the dh-buildinfo call.

I would like to request that dh-buildinfo is removed from the build-deps for
the build-depends that it generates[2] for packages that use cdbs as a
buildsystem.

I suggest this (with patch attached) as a way to allow package maintainers to
opt-in to continuing to use dh-buildinfo for their packages if they want to by
adding it to their build-dep(-indep) clauses, while simultaneously allowing the
majority of packages to achieve more future-proof build reproducibility.

Regards,
James

[1] - https://reproducible-builds.org

[2] - https://sources.debian.org/src/cdbs/0.4.166/1/rules/debhelper.mk.in/#L105-L106

[3] - https://manpages.debian.org/bookworm/devscripts/debrebuild.1.en.html

[4] - https://reproducible-builds.org/tools/

[5] - https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles
-------------- next part --------------
From: James Addison <jay at jp-hosting.net>
Date: Sat, 23 Nov 2024 20:26:42 +0000
Subject: Remove default addition of dh-buildinfo build-dep

The dh_buildinfo helper produces a list of dependencies found on
the build host, to aid downstream sites rebuilding from source.

However, this file can in fact inhibit reproducibility, because
some dependencies that vary on the build host may not be relevant
to the build process.

A more recent and preferred format of the Reproducible Builds[1]
project that achieves the same goal for Debian packages is the
.buildinfo format; as of Y2024 these files are widely used and are
in active use verifying bit-for-bit package (re)build integrity.

So, remove the default dependency on dh-buildinfo; individual
package maintainers may choose to enable it if they wish to.
---
Index: cdbs-0.4.166/1/rules/debhelper.mk.in
===================================================================

--- cdbs-0.4.166.orig/1/rules/debhelper.mk.in
+++ cdbs-0.4.166/1/rules/debhelper.mk.in
@@ -102,9 +102,6 @@ CDBS_BUILD_DEPENDS_rules_debhelper_v10 ?
 CDBS_BUILD_DEPENDS_rules_debhelper_v$(DH_COMPAT) ?= debhelper (>= $(DH_COMPAT)~)
 CDBS_BUILD_DEPENDS +=, $(CDBS_BUILD_DEPENDS_rules_debhelper_v$(DH_COMPAT))
 
-CDBS_BUILD_DEPENDS_rules_debhelper_buildinfo ?= dh-buildinfo
-CDBS_BUILD_DEPENDS +=, $(CDBS_BUILD_DEPENDS_rules_debhelper_buildinfo)
-
 ifeq ($(DEB_VERBOSE_ALL), yes)
 DH_VERBOSE = 1
 endif
