rust-vergen inserts build timestamps, possible irreproducibility source

  • Open
  • quality assurance status badge
Details
2 participants
  • Fabian Grünbichler
  • Maxime Devos
Owner
unassigned
Submitted by
Maxime Devos
Severity
normal
M
M
Maxime Devos wrote on 2 Aug 2022 18:57
(address . bug-guix@gnu.org)
c93dc305-6988-95c0-6d8f-4e5e2c733dcb@telenet.be
While fixing build failures in antioxidant, I noticed that rust-vergen
is a potential source of irreproducibility -- the README.md contains the
following:
Toggle quote (18 lines)
> ## Documentation
> [Documentation](https://docs.rs/vergen)
>
> ## Generate Compile Time Information
> `vergen`, when used in conjunction with cargo [build scripts], will
> generate environment variables to use with the `env!` macro. Below
> is a list of the supported variables.
>
> Key                       | Sample Value
> --------------------------|----------------------------------------
> VERGEN_BUILD_TIMESTAMP    |2018-08-09T15:15:57.282334589+00:000
> VERGEN_BUILD_DATE         |2018-08-09
> VERGEN_SHA |75b390dc6c05a6a4aa2791cc7b3934591803bc22
> VERGEN_SHA_SHORT          |75b390d
> VERGEN_COMMIT_DATE        |2018-08-08
> VERGEN_TARGET_TRIPLE      |x86_64-unknown-linux-gnu
> VERGEN_SEMVER             |v3.0.0
> VERGEN_SEMVER_LIGHTWEIGHT |v3.0.0
I'll try patching out the timestamps with 1970-...
Greetings,
Maxime.
Attachment: OpenPGP_0x49E3EE22191725EE.asc
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 2 Aug 2022 19:14
(address . 56893@debbugs.gnu.org)
6db9b36d-3411-5473-68a5-56df714e2c1c@telenet.be
The following phase works around the issue for me (for antioxidant) --
this makes "guix build --check" pass (at least for antioxidant):
Toggle quote (14 lines)
> +    ;; TODO: SOURCE_DATE_EPOCH support would be nice.  Also maybe
> better fit for a snippet?
> +    ;;
> +    ;; Make the rust-vergen reproducible and avoid causing
> irreproducibility
> +    ;; in dependents.
> +    ("rust-vergen"
> +     ,#~((add-after 'unpack 'remove-timestamp-irreproducibility
> +       (lambda _
> +         (substitute* (find-files "." "\\.rs$")
> +           (("^extern crate chrono;") "extern crate chrono; use
> chrono::Utc; use chrono::TimeZone;")
> +           (("^use chrono::Utc;") "use chrono::Utc; use
> chrono::TimeZone;")
Should also work for cargo-build-system, but untested.
Greetings,
Maxime
Attachment: OpenPGP_0x49E3EE22191725EE.asc
Attachment: OpenPGP_signature
M
M
Maxime Devos wrote on 2 Aug 2022 22:16
Re: rust-vergen inserts build timestamps
22fbd85d-9f0e-64f8-98d6-972a0f7c9219@telenet.be
On 02-08-2022 20:41, Geert Stappers wrote:
Toggle quote (13 lines)
> Date: Tue, 2 Aug 2022 19:18:46 +0200, From: Maxime Devos
>> In Guix, I've noticed that rust-vergen embeds build timestamps. There is also
>> a work-around available: <https://issues.guix.gnu.org/56893#1>.
>
>
> Thanks for reporting the FTBR.
>
> Please update the workaround, so it looks more
> like https://en.wikipedia.org/wiki/Diff#Unified_format
> and can be absured by https://en.wikipedia.org/wiki/Patch_(Unix)
>
>
> Just telling the filename that needs modification would be a great help.
Oops, I did not send the full work-around, here it is:
Toggle quote (6 lines)
>          (substitute* (find-files "." "\\.rs$")
>            (("^extern crate chrono;") "extern crate chrono; use
> chrono::Utc; use chrono::TimeZone;")
>            (("^use chrono::Utc;") "use chrono::Utc; use
> chrono::TimeZone;")
>            (("\\bUtc::now\\(\\)") "Utc.timestamp(0, 0)"))))))
(Should hopefully be clearer now!)
The important thing here is replacing all instances of Utc::now()
(across all Rust source files of rust-vergen) by Utc.timestamp(0, 0),
the rest is just adding the required imports -- I have not made a list
of all file names.  If you want a list, try "grep -rF Utc::now" or such.
I do not intend to update the workaround, it works fine in Guix and
frankly porting it to whatever format Debian likes is Debian's concern,
not Guix', I'm just sharing our workaround as a courtesy to another distro.
Greetings,
Maxime.
Attachment: OpenPGP_0x49E3EE22191725EE.asc
Attachment: OpenPGP_signature
F
F
Fabian Grünbichler wrote on 3 Aug 2022 09:09
Re: [Pkg-rust-maintainers] Bug#1016546: rust-vergen inserts build timestamps
1659510404.ppd071f89s.astroid@nora.none
On August 2, 2022 10:16 pm, Maxime Devos wrote:
Toggle quote (35 lines)
> On 02-08-2022 20:41, Geert Stappers wrote:
>
>> Date: Tue, 2 Aug 2022 19:18:46 +0200, From: Maxime Devos
>>> In Guix, I've noticed that rust-vergen embeds build timestamps. There is also
>>> a work-around available: <https://issues.guix.gnu.org/56893#1>.
>>
>>
>> Thanks for reporting the FTBR.
>>
>> Please update the workaround, so it looks more
>> like https://en.wikipedia.org/wiki/Diff#Unified_format
>> and can be absured by https://en.wikipedia.org/wiki/Patch_(Unix)
>>
>>
>> Just telling the filename that needs modification would be a great help.
>
> Oops, I did not send the full work-around, here it is:
>
>>          (substitute* (find-files "." "\\.rs$")
>>            (("^extern crate chrono;") "extern crate chrono; use
>> chrono::Utc; use chrono::TimeZone;")
>>            (("^use chrono::Utc;") "use chrono::Utc; use
>> chrono::TimeZone;")
>>            (("\\bUtc::now\\(\\)") "Utc.timestamp(0, 0)"))))))
> (Should hopefully be clearer now!)
>
> The important thing here is replacing all instances of Utc::now()
> (across all Rust source files of rust-vergen) by Utc.timestamp(0, 0),
> the rest is just adding the required imports -- I have not made a list
> of all file names.  If you want a list, try "grep -rF Utc::now" or such.
>
> I do not intend to update the workaround, it works fine in Guix and
> frankly porting it to whatever format Debian likes is Debian's concern,
> not Guix', I'm just sharing our workaround as a courtesy to another distro.

also note that for debian purposes, we likely want to honor
SOURCE_DATE_EPOCH instead of setting it to epoch zero.
?