Package: cmake Version: 3.24.1-1 Severity: normal X-Debbugs-Cc: yokota.h...@gmail.com
Dear Maintainer, Current CMake (3.24.1) injects randomly named dummy function to output binary. Output binary works well, but this issue breaks reproducible build. Injected code can be examine from here: https://salsa.debian.org/cmake-team/cmake/-/blob/debian/3.24.1-1/Source/cmQtAutoMocUic.cxx#L2177 ```c++ // Placeholder content cmCryptoHash hash(cmCryptoHash::AlgoSHA256); const std::string hashedPath = hash.HashString(compAbs); const std::string functionName = "cmake_automoc_silence_linker_warning" + hashedPath; content += "// No files found that require moc or the moc files are " "included\n" "void " + functionName + "() {}\n"; ``` Randomly named dummy function was generated from absolute path name and SHA256. Absolute path name might be vary in each development machines because source code will be placed in each developer's own path. So, this feature generates non-deterministic output, and breaks reproducible build. Here is issue about this feature in upstream: https://gitlab.kitware.com/cmake/cmake/-/issues/23551 And merge request: https://gitlab.kitware.com/cmake/cmake/-/merge_requests/7558 This bug will break Debian "calibre" package from reproducible build. https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/calibre.html I want to make Debian "calibre" package to reproducible. -- YOKOTA Hiroshi
