Bug#969084: buildd.d.o: please don't use a tainted buildenv
Guillem Jover
guillem at debian.org
Thu Aug 27 15:25:56 BST 2020
On Thu, 2020-08-27 at 13:06:56 +0000, Holger Levsen wrote:
> On Thu, Aug 27, 2020 at 03:00:43PM +0200, Aurelien Jarno wrote:
> > On 2020-08-27 13:25, Holger Levsen wrote:
> > > Package: buildd.debian.org
> > > Severity: wishlist
> > > User: reproducible-builds at lists.alioth.debian.org
> > > Usertags: environment
> > > since a while dpkg adds a small note to a .buildinfo if /usr/local/sbin
> > > is populated (which I'm not sure I agree is sensible, but it's what dpkg
> > > currently does), eg
> > >
> > > holger at profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep Build-Tainted-By: 08/ |wc -l
> > > 35473
> > > holger at profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ find 08 -name "*.buildinfo" | wc -l
> > > 37182
> > >
> > > so almost all .buildinfo files from August 2020 are tainted.
> > >
> > > (profitbricks7 is hosting https://buildinfos.debian.net if you want to check
> > > for yourself easily.)
> > >
> > > So how are they tainted:
> > >
> > > holger at profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ grep -A 2 Build-Tainted-By: 08/06/firejail_0.9.62-4_ppc64el-buildd.buildinfo
> > > Build-Tainted-By:
> > > usr-local-has-programs
> > > Installed-Build-Depends:
> > >
> > >
> > > And then, also, not all .buildinfo files are taited by "usr-local-has-programs" because
> > > holger at profitbricks-build7-amd64:~jenkins/userContent/reproducible/debian/ftp-master.debian.org/buildinfo/2020$ rgrep usr-local-has-programs 08/ |wc -l
> > > 35017
> > >
> > > (But I guess that's probably material for another bug report.)
> > >
> > > Any chance the Debian buildds could not have a tained /usr/local?
> >
> > The only file in /usr/local is /usr/local/sbin/policy-rc.d which is
> > needed to prevent daemons to start in the chroot. Not sure how we can do
> > things differently.
>
> thanks for that info! maybe dpkg could treat /usr/local not as tainted if the
> only file in /usr/local is /usr/local/sbin/policy-rc.d ?
While we could perhaps add an exception in the Debian vendor profile.
It does look like this is working as intended? :) This is a local file
that might affect the build, which is otherwise not trackable, say
what "version" (with which changes) was being used, etc. I think ideally
this would be using a system pathname and be part of a package that gets
then listed in the .buildinfo files.
Thanks,
Guillem
More information about the Reproducible-builds
mailing list