Bug#784335: libapache2-mod-perl2: please make the package build reproducible

gregor herrmann gregoa at debian.org
Wed May 6 14:55:20 UTC 2015 

On Tue, 05 May 2015 16:22:02 +0200, Jérémy Bobbio wrote:

> While working on the “reproducible builds” effort [1], we have noticed
> that libapache2-mod-perl2 could not be built reproducibly.

Thanks for the bug report and patch.

For reference, here's the debbindiff:
https://reproducible.debian.net/dbd/unstable/amd64/libapache2-mod-perl2_2.0.9~1624218-2.debbindiff.html
 
> diff --git a/debian/changelog b/debian/changelog
> index a776b43..2cdba69 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +libapache2-mod-perl2 (2.0.9~1624218-2.0~reproducible1) UNRELEASED; urgency=low
> +
> +  * Set PERL_HASH_SEED=0 when running configure to generate
> +    identical code accross builds.
> +
> + -- Jérémy Bobbio <lunar at debian.org>  Tue, 05 May 2015 16:13:37 +0200
> +
>  libapache2-mod-perl2 (2.0.9~1624218-2) unstable; urgency=medium
>  
>    * Add autopkgtest support.
> diff --git a/debian/rules b/debian/rules
> index a9e2ed8..dcae494 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -10,7 +10,7 @@ PVA     = $(shell perl -MConfig -e'print substr($$Config{vendorarch},1)')
>  	dh $@ --parallel --with apache2
>  
>  override_dh_auto_configure:
> -	dh_auto_configure -- \
> +	PERL_HASH_SEED=0 dh_auto_configure -- \
>  		INSTALLDIRS=vendor \
>  		MP_TRACE=0 \
>  		MP_USE_DSO=1 \

I'm a bit wary here since
- I don't really understand what this PERL_HASH_SEED variable does
- it's mentioned in a test file, in a comment, called
  t/response/TestPerl/hash_attack.pm

Only use in code is in src/modules/perl/modperl_perl.c.

USE_HASH_SEED (in src/modules/perl/modperl_perl.c) also sounds
interesting


Does anybody who actually understands mod_perl know more?


Cheers,
gregor

-- 
 .''`.  Homepage: http://info.comodo.priv.at/ - OpenPGP key 0xBB3A68018649AA06
 : :' : Debian GNU/Linux user, admin, and developer -  https://www.debian.org/
 `. `'  Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
   `-   NP: Led Zeppelin: What Is And What Should Never
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital Signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20150506/add9412c/attachment.sig>

More information about the pkg-perl-maintainers mailing list