[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [fis-gtm] "action needed" items



Hi Amul,

On Wed, Mar 30, 2016 at 05:17:52PM -0400, Amul Shah wrote:
> FIS released GT.M V6.3-000 yesterday and I am in the process of updating the
> Debian package. Since I have the spare cycles, I want to address a few of
> the "action needed" items listed on https://tracker.debian.org/pkg/fis-gtm.

Thanks for keeping the packages up to date.

> I made some changes to address the uscan error and lintian warnings, but I
> have some questions about two other items.
> 
> -- non-reproducible builds --
> The link for this,
> https://tests.reproducible-builds.org/rb-pkg/testing/amd64/fis-gtm.html, is
> marked with a FTBFS for the second build. The problem with the second build
> seems to be a configuration problem on the build server. Notice the
> complaints (below) from PERL about LC_ALL. The recurring setlocale warnings
> seem to have caused problems for CMake resulting in a build failure.
> >I: using fakeroot in build.
> >I: pbuilder: network access will be disabled during build
> >I: Current time: Mon May  1 02:34:11 GMT-14 2017
> >I: pbuilder-time-stamp: 1493555651
> >I: Building the build Environment
> >I: extracting base tarball [/var/cache/pbuilder/testing-reproducible-base.tgz]
> >I: copying local configuration
> >perl: warning: Setting locale failed.
> >perl: warning: Please check that your locale settings:
> >	LANGUAGE = (unset),
> >	LC_ALL = "fr_CH.UTF-8",
> >	LANG = "fr_CH.UTF-8"
> >     are supported and installed on your system.
> >perl: warning: Falling back to the standard locale ("C").
> See https://tests.reproducible-builds.org/logs/unstable/amd64/fis-gtm_6.2-002A-3.build2.log.gz for the full build log

Seems as if the Build server is located in French speaking part of
Swiss. :-)  I'd also not really concerned about this.  Sometimes I
needed to force a certain locale for some packages but I do not think
this is needed here.
 
> Do I need to take any action to address the above?

I do not think so.  I guess the reproducible builds team would file a
bug report if they consider it an issue of packaging.
 
> Previously, when I looked at the non-reproducible build warnings, I saw a warning complaining about the following list of files:
>   dsehelp.dat
>   gdehelp.dat
>   gtmhelp.dat
>   lkehelp.dat
>   mupiphelp.dat
> 
> The above files are FIS GT.M database files generated during the build.
> These databases hold the online help for FIS GT.M executables. Database
> files won't be the same due to time related information in the block
> headers. So I need to exclude these files from being checked.

I wonder whether there would be any sensible chance to determine the
time stamp - may be for instance to the time stamp of the changelog.
Does GT.M provide any such functionality?
 
> I read https://wiki.debian.org/ReproducibleBuilds and
> https://reproducible-builds.org/docs to learn how to exclude these files
> from being checked, but could not find any mechanism. Most of the docs
> merely glorified the greatness* reproducible builds. Does anyone know a way
> to exclude these files? * I agree with it the principle, but I have an
> exception that I cannot work around.

I do not think that you can exclude any files from beeing checked.  I'd
recommend talking with upstream whether any fixed time setting would be
possible or the reproducible builds team whether they know any way to
create a fake-system-time.
 
> -- build log check warning --
> The fis-gtm build was tagged with "W-compiler-flags-hidden". If I understood
> https://wiki.debian.org/Hardening#Notes_for_packages_using_CMake correctly,
> I should get dpkg-buildflags for free. Am I correct?
> 
> The hardening options are in force.
> >shaha:~/debmed/fis-gtm> hardening-check
> >/usr/lib/x86_64-linux-gnu/fis-gtm/V6.3-000_x86_64/mumps
> >/usr/lib/x86_64-linux-gnu/fis-gtm/V6.3-000_x86_64/libgtmshr.so
> >/usr/lib/x86_64-linux-gnu/fis-gtm/V6.3-000_x86_64/mumps:
> > Position Independent Executable: no, normal executable!
> > Stack protected: yes
> > Fortify Source functions: yes
> > Read-only relocations: yes
> > Immediate binding: no, not found!
> >/usr/lib/x86_64-linux-gnu/fis-gtm/V6.3-000_x86_64/libgtmshr.so:
> > Position Independent Executable: no, regular shared library (ignored)
> > Stack protected: yes
> > Fortify Source functions: yes (some protected functions found)
> > Read-only relocations: yes
> > Immediate binding: no, not found!
> 
> 
> On a second read of https://qa.debian.org/bls/bytag/W-compiler-flags-hidden.html, I think I understand the complaint better.
> >buildd log scanner tag W-compiler-flags-hidden
> >
> >description
> >
> >The package contains build commands which hide the real compiler flags
> >(non-verbose builds). This prevents automatic checks for missing
> >(hardening) flags.
> >
> >False positives are possible, especially when building in parallel. In this case this warning can be ignored.
> The complaint is that the build flags are not present in the build log file. Would the fix be to build with VERBOSE=1?

I admit I never cared about this and thus can't comment on this.
 
Kind regards

        Andreas.

-- 
http://fam-tille.de


Reply to: