Bug#902051: libxslt: generate-id() not returning unique IDs

Andrew Ayer agwa at andrewayer.name
Fri Jun 22 01:06:49 BST 2018


Package: libxslt
Version: 1.1.29-2.1
Severity: important
X-Debbugs-CC: reproducible-builds at lists.alioth.debian.org

Dear Maintainer,

Nick Bowler has pointed out on the libxslt bug tracker that
debian/patches/0004-Make-generate-id-deterministic.patch has issues,
most notably that generate-id() is not returning distinct IDs for
distinct nodes:

https://bugzilla.gnome.org/show_bug.cgi?id=751621#c15

https://bugzilla.gnome.org/show_bug.cgi?id=751621#c19

This bug could cause stylesheets to break in hard-to-detect ways.  For
example, it could cause the stylesheet to believe that two nodes are
the same when they aren't (if the stylesheet is using the common 
`generate-id(foo) = generate-id(bar)` idiom), or to generate elements
with duplicate id attributes (if generate-id() is being used to generate
the id attribute).

It's not immediately clear how the patch can be fixed, since it relies
on an assumption that is no longer valid.  Thus, I think the patch
should be backed out until we can figure out the correct way to make
generate-id() deterministic.  Unfortunately, this will cause a
regression in reproducibility, but I think that's outweighed by the
breakage.

Regards,
Andrew



More information about the Reproducible-builds mailing list