[Reproducible-builds] Bug#823123: libusb: debian/rules uses unportable shell constructs; please make the build reproducible (shell)

Daniel Shahaf danielsh at apache.org
Sun May 1 01:49:00 UTC 2016 

Package: libusb
Version: 0.1.12
Severity: minor
User: reproducible-builds at lists.alioth.debian.org
Usertags: environment

Dear Maintainer,

While working on the “reproducible builds” effort [1], we have noticed
that libusb could not be built reproducibly; the diff between two builds
is:

    # https://tests.reproducible-builds.org/rb-pkg/unstable/amd64/libusb.html
    ├── ./usr/lib/x86_64-linux-gnu/libusb.so
    │ @@ -1,3 +1 @@
    │ -/* GNU ld script.  */
    │ -GROUP ( /lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4 )
    │ -
    │ +/* GNU ld script.  */\nGROUP ( /lib/x86_64-linux-gnu/libusb-0.1.so.4.4.4 )\n

This difference is down to debian/rules calling echo(1) with an argument
that contains a literal backslash.  The behaviour of echo(1) in that
case is (according to POSIX) implementation-defined.  Since debian/rules
uses echo(1) from the building user's shell, the build output differs
when the building user uses SHELL=bash v. SHELL=dash:

    % LC_ALL=C dash -c 'echo "foo\nbar"' 
    foo
    bar
    % LC_ALL=C bash -c 'echo "foo\nbar"' 
    foo\nbar
    % 

The following patch removes the use of implementation-defined behaviour:

[[[
diff --git a/debian/rules b/debian/rules
index c51241b..af1d9db 100755
--- a/debian/rules
+++ b/debian/rules
@@ -23,7 +23,7 @@ override_dh_auto_install-arch:
        mv $(CURDIR)/debian/tmp-deb/usr/lib/$(DEB_HOST_MULTIARCH)/libusb-0.1.so.* \
           $(CURDIR)/debian/tmp-deb/lib/$(DEB_HOST_MULTIARCH)
        rm $(CURDIR)/debian/tmp-deb/usr/lib/$(DEB_HOST_MULTIARCH)/libusb.so
-       echo "/* GNU ld script.  */\nGROUP ( /lib/$(DEB_HOST_MULTIARCH)/libusb-0.1.so.4.4.4 )\n" \
+       printf "/* GNU ld script.  */\nGROUP ( /lib/%%s/libusb-0.1.so.4.4.4 )\n" "$(DEB_HOST_MULTIARCH)" \
                > $(CURDIR)/debian/tmp-deb/usr/lib/$(DEB_HOST_MULTIARCH)/libusb.so
        dh_auto_install --builddirectory build-udeb --destdir=$(CURDIR)/debian/tmp-udeb
]]]

This patch should also make the build reproducible, but I didn't test that.

Note that when built under bash, the .so file contains a literal «\n»
sequence (two bytes).  I'm assuming that might have user-visible
consequences but I don't know what exactly they would be.

Cheers,

Daniel

More information about the Reproducible-builds mailing list