Bug#784335: libapache2-mod-perl2: please make the package build reproducible

Niko Tyni ntyni at debian.org
Wed May 6 15:14:47 UTC 2015 

On Wed, May 06, 2015 at 04:55:20PM +0200, gregor herrmann wrote:
> On Tue, 05 May 2015 16:22:02 +0200, Jérémy Bobbio wrote:
> Thanks for the bug report and patch.
> 
> For reference, here's the debbindiff:
> https://reproducible.debian.net/dbd/unstable/amd64/libapache2-mod-perl2_2.0.9~1624218-2.debbindiff.html

> > +libapache2-mod-perl2 (2.0.9~1624218-2.0~reproducible1) UNRELEASED; urgency=low
> > +
> > +  * Set PERL_HASH_SEED=0 when running configure to generate
> > +    identical code accross builds.
> > +
> > + -- Jérémy Bobbio <lunar at debian.org>  Tue, 05 May 2015 16:13:37 +0200
> > +

> >  override_dh_auto_configure:
> > -	dh_auto_configure -- \
> > +	PERL_HASH_SEED=0 dh_auto_configure -- \
> >  		INSTALLDIRS=vendor \
> >  		MP_TRACE=0 \
> >  		MP_USE_DSO=1 \

> I'm a bit wary here since
> - I don't really understand what this PERL_HASH_SEED variable does

It disables hash order randomization. From perlrun.pod:

    PERL_HASH_SEED
                (Since Perl 5.8.1, new semantics in Perl 5.18.0) Used to
                override the randomization of Perl's internal hash function.
                The value is expressed in hexadecimal, and may include a
                leading 0x. Truncated patterns are treated as though they are
                suffixed with sufficient 0's as required.

                If the option is provided, and "PERL_PERTURB_KEYS" is NOT set,
                then a value of '0' implies "PERL_PERTURB_KEYS=0" and any
                other value implies "PERL_PERTURB_KEYS=2".

                PLEASE NOTE: The hash seed is sensitive information. Hashes
                are randomized to protect against local and remote attacks
                against Perl code. By manually setting a seed, this protection
                may be partially or completely lost.

                See "Algorithmic Complexity Attacks" in perlsec,
                "PERL_PERTURB_KEYS", and "PERL_HASH_SEED_DEBUG" for more
                information.

ISTR we've used PERL_HASH_SEED=0 in the past as a last resort for running
test suites that rely on hash ordering and aren't easily fixable.

In this case, I assume the configure step writes out quite a few makefiles
and the like, and the generating code would otherwise need to be patched
to sort hash keys.

I certainly hope setting PERL_HASH_SEED=0 in the configure step doesn't
carry over to the built embedded Perl interpreter. If it did, that would
introduce a definite security problem. This seems unlikely to me, however.
-- 
Niko Tyni   ntyni at debian.org

More information about the pkg-perl-maintainers mailing list