Bug#873937: dpkg: should include information about the used kernel in .buildinfo files

Holger Levsen holger at layer-acht.org
Sat Sep 2 15:53:53 UTC 2017 

Hi Guillem,

On Fri, Sep 01, 2017 at 04:51:55PM +0200, Guillem Jover wrote:
> > during discussing #844431 it became clear, that some information about the
> > running kernel should be included in .buildinfo files, as this can affect the
> > build.
> 
> It is actually not very clear to me. The examples provided there seem
> bogus:
> 
> * Any build that relies on the currently running kernel for the
>   resulting object is broken, and needs to be fixed. The host kernel
>   might/should/will have nothing to do with the build one.
> * Builds that embed build kernel information should be fixed to not
>   do that, as that information should be irrelevant for the generated
>   object.
> * Builds breaking on kernel changing the version schema should only
>   affect things such as kernel modules or similar, anything else is
>   also broken. Any kernel version checks, if at all, should always
>   be done at run-time.
> * Builds breaking due to disabled functionality in the current running
>   kernel should be considered broken. In case of the test suite
>   failing, that should be fixed to skip those tests gracefully. In
>   case of the build system breaking, that should be reworked to not
>   use that functionality (which I'd assume is unportable?).

good points. (just having information on the kernel *can* be helpful, even
though it *should* not matter, but when it (wrongly) does, it is helpful…)
 
> > For a start, including the output of "uname -s -r -v -m -i -o" (so basically
> > uname -a without the hostname) would be better than the current status quo,
> > though it would probably be even nicer to also include a hash of
> > /proc/config.gz or maybe even the whole thing.
> 
> In addition to the above, I'm actually somewhat uncomfortable with this
> request, as it looks like a massive privacy leak. Compared to package
> lists and versions, which are actually requested by the package being
> built and might not have anything to do with the main system this
> build was being run on (say a chroot for example), or might get deleted
> immediately after the build. The kernel tends to be a system-wide
> resource, that even if upgraded does not mean it will be running (until
> a reboot).

on reflection I agree that the privacy implications are too bad.

[more insightful stuff I cannot disagree with removed.]
 
> Given all the above, I'm inclined to just close the report? :)

Probably, maybe, just please keep it open for another week or two for now, so 
others can chime in…

Thanks!


-- 
cheers,
	Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20170902/f49cbfe6/attachment.sig>

More information about the Reproducible-builds mailing list