[Reproducible-builds] Bug#762683: libdpkg-perl: add build flags that help with build reproducibility

Fri Sep 26 17:30:27 UTC 2014

Hi!

On Wed, 2014-09-24 at 20:24:15 +0800, Paul Wise wrote:
> Package: libdpkg-perl
> Severity: wishlist
> Tags: patch
> Usertags: sentpatch
> User: reproducible-builds at lists.alioth.debian.org
> Usertags: toolchain timestamps
> X-Debbugs-CC: reproducible-builds at lists.alioth.debian.org

> The attached pair of patches add support for adding build flags that
> help with build reproducibility and add the -Wdate-time flag, which
> causes warnings when the time related macros are used. This has the
> potential to cause FTBFS in conjunction with -Werror so we are willing
> to do package rebuilds with this patch in order to test the theory.

Please, see
<https://wiki.debian.org/Teams/Dpkg/FAQ#Q:_Can_we_add_support_for_new_default_build_flags_to_dpkg-buildflags.3F>
for the process to include it in the default set.

Although for now I'm fine merging this being disabled by default.
Meanwhile I've added support to dpkg-buildflags to honor feature area
settings from DEB_BUILD_OPTIONS, so that these can be enabled globally by
a builder for example for build tests and similar, but will be overridden
by DEB_BUILD_MAINT_OPTIONS though (in the same way build flags are).

> From d5538d91bb35d489ef2aaa5f9b8cf62fbed676cb Mon Sep 17 00:00:00 2001
> From: Paul Wise <pabs at debian.org>
> Date: Wed, 24 Sep 2014 19:41:18 +0800
> Subject: [PATCH 1/2] Add a function for adding flags related to reproducible
>  builds.

> +sub add_reproducible_flags {
> +    my ($self, $flags) = @_;
> +
> +    # Features enabled by default for all builds.

Please change this to “# Default feature states.”, to make it
independent of their enabled/disabled state, I've already changed
the original string where this was copied from.

> +    my %use_feature = (
> +    );
> +
> +    # Warnings when __TIME__ __DATE__ __TIMESTAMP__ macros used

And move this comment to the other patch.

> From 3644a69a3770eb1b7ed7c119c940ddd04c89b5e3 Mon Sep 17 00:00:00 2001
> From: Paul Wise <pabs at debian.org>
> Date: Wed, 24 Sep 2014 19:41:46 +0800
> Subject: [PATCH 2/2] Warn about the use of __TIME__, __DATE__ and
>  __TIMESTAMP__ macros.

> @@ -229,9 +229,14 @@ sub add_reproducible_flags {
>  
>      # Features enabled by default for all builds.
>      my %use_feature = (
> +	warntime => 1,
>      );

I'm thinking that if this gets accepted by the project at large, then
it might even make sense to make it an error (-Werror=date-time) at
some later point, so the name would be wrong. How about 'timeless'?
Or can you think about some other more appropriate name?

>      # Warnings when __TIME__ __DATE__ __TIMESTAMP__ macros used
> +    if ($use_feature{warntime}) {
> +	$flags->append('CPPFLAGS', '-Wdate-time');
> +    }

I verified that this works with a standalone cpp, so it looks good.

It would be nice if you could add documentation in the dpkg-buildflags
man page, a new .SS subsection, with something along the lines of the
first Hardening paragraph (I had already reworked the common parts out
of the Hardening subsection for other feature areas, so no need to
repeat those).

Thanks,
Guillem