[Reproducible-builds] Bug#778250: powerline: leaks environment into build (makes unreproducible and possible privacy breach)
Maria Valentina Marin
marivalenm at gmail.com
Thu Feb 12 18:52:34 UTC 2015
Source: powerline
Version: 1.2-2
Severity: normal
User: reproducible-builds at lists.alioth.debian.org
Usertags: timestamps fileordering
Hello,
While working on the “reproducible builds” effort [1], we have noticed that
powerline could not be built reproducibly and it leaks the users environment
into the resulting binary package when building.
The environment appears in the file
../usr/share/doc/python-powerline-doc/html/develop/extensions.html which is
generated from powerline/renderer.py line 47. Since the environment is
different between different users this makes the package unreproducible. It
might also leak sensitive data the user happens to have in their environment
into the package build.
Maybe the environment dump should be filtered? What is the reason for it being
stored in segment_info in the first place? What is the purpose of storing the
value of $HOME during the package build in the member 'home'?
If these values are important for the operation of the package then they have
to be kept but they should not be included with their values during the package
build in the sphinx documentation.
Cheers, akira
[1]: https://wiki.debian.org/ReproducibleBuilds
More information about the Reproducible-builds
mailing list