Bug#830075: golang-github-kr-binarydist: please make the build reproducible

Dhole Tue, 05 Jul 2016 14:57:53 -0700

Source: golang-github-kr-binarydist
Version: 0.0~git20120828.0.9955b0a-1
Severity: wishlist
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: locale
X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org


Hi,

While working on the "reproducible builds" effort [1], we have noticed
that golang-github-kr-binarydist could not be built reproducibly.

When building the package, some test functions are run that generate
random test files.  The randomness for those test files is provided by
the kernel (through the crypto/rand go package).

The attached patch fixes this by generating deterministic pseudorandom
test files instead (by means of the rand go package and setting a fixed
seed).  The function that creates this test files is only used for
testing purposes, and as such, I believe there's no security concern.
But I'm not familiar with the package, so please, double check it.
Also, consider sending this patch upstream :)

Once applied, golang-github-kr-binarydist can be built reproducibly in
our current experimental framework.

 [1]: https://wiki.debian.org/ReproducibleBuilds

Regards,
-- 
Dhole

diff -Nru 
golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/changelog 
golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/changelog
--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/changelog      
2016-06-29 22:09:09.000000000 +0200
+++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/changelog      
2016-07-04 01:21:45.000000000 +0200
@@ -1,3 +1,10 @@
+golang-github-kr-binarydist (0.0~git20120828.0.9955b0a-1.1) UNRELEASED; 
urgency=medium
+
+  * Non-maintainer upload.
+  * Make test files deterministic to make the package build reproducible. 
+
+ -- Eduard Sanou <dh...@openmailbox.org>  Mon, 04 Jul 2016 01:21:16 +0200
+
 golang-github-kr-binarydist (0.0~git20120828.0.9955b0a-1) unstable; 
urgency=medium
 
   * Initial release (Closes: 823342)
diff -Nru 
golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/deterministic-test-files.patch
 
golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/deterministic-test-files.patch
--- 
golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/deterministic-test-files.patch
 1970-01-01 01:00:00.000000000 +0100
+++ 
golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/deterministic-test-files.patch
 2016-07-04 01:23:15.000000000 +0200
@@ -0,0 +1,56 @@
+Description: Deterministic test files
+ Make the files written during tests deterministic to make this package build
+ reproducible.
+Author: Eduard Sanou <dh...@openmailbox.org>
+
+--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a.orig/common_test.go
++++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/common_test.go
+@@ -1,10 +1,10 @@
+ package binarydist
+ 
+ import (
+-      "crypto/rand"
+       "io"
+       "io/ioutil"
+       "os"
++      "rand"
+ )
+ 
+ func mustOpen(path string) *os.File {
+@@ -67,8 +67,9 @@ func fileCmp(a, b *os.File) int64 {
+       return -1
+ }
+ 
+-func mustWriteRandFile(path string, size int) *os.File {
++func mustWriteRandFile(path string, size int, seed int64) *os.File {
+       p := make([]byte, size)
++      rand.Seed(seed)
+       _, err := rand.Read(p)
+       if err != nil {
+               panic(err)
+--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a.orig/diff_test.go
++++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/diff_test.go
+@@ -13,8 +13,8 @@ var diffT = []struct {
+       new *os.File
+ }{
+       {
+-              old: mustWriteRandFile("test.old", 1e3),
+-              new: mustWriteRandFile("test.new", 1e3),
++              old: mustWriteRandFile("test.old", 1e3, 1),
++              new: mustWriteRandFile("test.new", 1e3, 2),
+       },
+       {
+               old: mustOpen("testdata/sample.old"),
+--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a.orig/patch_test.go
++++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/patch_test.go
+@@ -8,8 +8,8 @@ import (
+ )
+ 
+ func TestPatch(t *testing.T) {
+-      mustWriteRandFile("test.old", 1e3)
+-      mustWriteRandFile("test.new", 1e3)
++      mustWriteRandFile("test.old", 1e3, 1)
++      mustWriteRandFile("test.new", 1e3, 2)
+ 
+       got, err := ioutil.TempFile("/tmp", "bspatch.")
+       if err != nil {
diff -Nru 
golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/series 
golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/series
--- golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/series 
1970-01-01 01:00:00.000000000 +0100
+++ golang-github-kr-binarydist-0.0~git20120828.0.9955b0a/debian/patches/series 
2016-07-04 01:22:10.000000000 +0200
@@ -0,0 +1 @@
+deterministic-test-files.patch

signature.asc
Description: PGP signature

Bug#830075: golang-github-kr-binarydist: please make the build reproducible

Reply via email to