[Reproducible-builds] Bug#830075: golang-github-kr-binarydist: please make the build reproducible

Dhole dhole at openmailbox.org
Tue Jul 5 21:54:54 UTC 2016 

Source: golang-github-kr-binarydist
Version: 0.0~git20120828.0.9955b0a-1
Severity: wishlist
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: locale
X-Debbugs-Cc: reproducible-builds at lists.alioth.debian.org

Hi,

While working on the "reproducible builds" effort [1], we have noticed
that golang-github-kr-binarydist could not be built reproducibly.

When building the package, some test functions are run that generate
random test files.  The randomness for those test files is provided by
the kernel (through the crypto/rand go package).

The attached patch fixes this by generating deterministic pseudorandom
test files instead (by means of the rand go package and setting a fixed
seed).  The function that creates this test files is only used for
testing purposes, and as such, I believe there's no security concern.
But I'm not familiar with the package, so please, double check it.
Also, consider sending this patch upstream :)

Once applied, golang-github-kr-binarydist can be built reproducibly in
our current experimental framework.

 [1]: https://wiki.debian.org/ReproducibleBuilds

Regards,
-- 
Dhole
-------------- next part --------------
diff -Nru golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/changelog golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/changelog
--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/changelog	2016-06-29 22:09:09.000000000 +0200
+++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/changelog	2016-07-04 01:21:45.000000000 +0200
@@ -1,3 +1,10 @@
+golang-github-kr-binarydist (0.0~git20120828.0.9955b0a-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Make test files deterministic to make the package build reproducible. 
+
+ -- Eduard Sanou <dhole at openmailbox.org>  Mon, 04 Jul 2016 01:21:16 +0200
+
 golang-github-kr-binarydist (0.0~git20120828.0.9955b0a-1) unstable; urgency=medium
 
   * Initial release (Closes: 823342)
diff -Nru golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/deterministic-test-files.patch golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/deterministic-test-files.patch
--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/deterministic-test-files.patch	1970-01-01 01:00:00.000000000 +0100
+++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/deterministic-test-files.patch	2016-07-04 01:23:15.000000000 +0200
@@ -0,0 +1,56 @@
+Description: Deterministic test files
+ Make the files written during tests deterministic to make this package build
+ reproducible.
+Author: Eduard Sanou <dhole at openmailbox.org>
+
+--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a.orig/common_test.go
++++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/common_test.go
+@@ -1,10 +1,10 @@
+ package binarydist
+ 
+ import (
+-	"crypto/rand"
+ 	"io"
+ 	"io/ioutil"
+ 	"os"
++	"rand"
+ )
+ 
+ func mustOpen(path string) *os.File {
+@@ -67,8 +67,9 @@ func fileCmp(a, b *os.File) int64 {
+ 	return -1
+ }
+ 
+-func mustWriteRandFile(path string, size int) *os.File {
++func mustWriteRandFile(path string, size int, seed int64) *os.File {
+ 	p := make([]byte, size)
++	rand.Seed(seed)
+ 	_, err := rand.Read(p)
+ 	if err != nil {
+ 		panic(err)
+--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a.orig/diff_test.go
++++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/diff_test.go
+@@ -13,8 +13,8 @@ var diffT = []struct {
+ 	new *os.File
+ }{
+ 	{
+-		old: mustWriteRandFile("test.old", 1e3),
+-		new: mustWriteRandFile("test.new", 1e3),
++		old: mustWriteRandFile("test.old", 1e3, 1),
++		new: mustWriteRandFile("test.new", 1e3, 2),
+ 	},
+ 	{
+ 		old: mustOpen("testdata/sample.old"),
+--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a.orig/patch_test.go
++++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/patch_test.go
+@@ -8,8 +8,8 @@ import (
+ )
+ 
+ func TestPatch(t *testing.T) {
+-	mustWriteRandFile("test.old", 1e3)
+-	mustWriteRandFile("test.new", 1e3)
++	mustWriteRandFile("test.old", 1e3, 1)
++	mustWriteRandFile("test.new", 1e3, 2)
+ 
+ 	got, err := ioutil.TempFile("/tmp", "bspatch.")
+ 	if err != nil {
diff -Nru golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/series golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/series
--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/series	2016-07-04 01:22:10.000000000 +0200
@@ -0,0 +1 @@
+deterministic-test-files.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20160705/dbbcdd1c/attachment.sig>

More information about the Reproducible-builds mailing list