GNU bug report logs - #56893
rust-vergen inserts build timestamps, possible irreproducibility source

Previous Next

Package: guix;

Reported by: Maxime Devos <maximedevos <at> telenet.be>

Date: Tue, 2 Aug 2022 16:59:01 UTC

Severity: normal

To reply to this bug, email your comments to 56893 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#56893; Package guix. (Tue, 02 Aug 2022 16:59:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Maxime Devos <maximedevos <at> telenet.be>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Tue, 02 Aug 2022 16:59:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: bug-guix <at> gnu.org
Subject: rust-vergen inserts build timestamps, possible irreproducibility
 source
Date: Tue, 2 Aug 2022 18:57:54 +0200

[Message part 1 (text/plain, inline)]
While fixing build failures in antioxidant, I noticed that rust-vergen 
is a potential source of irreproducibility -- the README.md contains the 
following:

> ## Documentation
> [Documentation](https://docs.rs/vergen)
>
> ## Generate Compile Time Information
> `vergen`, when used in conjunction with cargo [build scripts], will
> generate environment variables to use with the `env!` macro. Below
> is a list of the supported variables.
>
> Key                       | Sample Value
> --------------------------|----------------------------------------
> VERGEN_BUILD_TIMESTAMP    |2018-08-09T15:15:57.282334589+00:000
> VERGEN_BUILD_DATE         |2018-08-09
> VERGEN_SHA |75b390dc6c05a6a4aa2791cc7b3934591803bc22
> VERGEN_SHA_SHORT          |75b390d
> VERGEN_COMMIT_DATE        |2018-08-08
> VERGEN_TARGET_TRIPLE      |x86_64-unknown-linux-gnu
> VERGEN_SEMVER             |v3.0.0
> VERGEN_SEMVER_LIGHTWEIGHT |v3.0.0
I'll try patching out the timestamps with 1970-...

Greetings,
Maxime.



[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded to bug-guix <at> gnu.org:
bug#56893; Package guix. (Tue, 02 Aug 2022 17:15:02 GMT) Full text and rfc822 format available.

Message #8 received at 56893 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 56893 <at> debbugs.gnu.org
Subject: Re: rust-vergen inserts build timestamps, possible irreproducibility
 source
Date: Tue, 2 Aug 2022 19:14:54 +0200

[Message part 1 (text/plain, inline)]
The following phase works around the issue for me (for antioxidant) -- 
this makes "guix build --check" pass (at least for antioxidant):

> +    ;; TODO: SOURCE_DATE_EPOCH support would be nice.  Also maybe 
> better fit for a snippet?
> +    ;;
> +    ;; Make the rust-vergen reproducible and avoid causing 
> irreproducibility
> +    ;; in dependents.
> +    ("rust-vergen"
> +     ,#~((add-after 'unpack 'remove-timestamp-irreproducibility
> +       (lambda _
> +         (substitute* (find-files "." "\\.rs$")
> +           (("^extern crate chrono;") "extern crate chrono; use 
> chrono::Utc; use chrono::TimeZone;")
> +           (("^use chrono::Utc;") "use chrono::Utc; use 
> chrono::TimeZone;")

Should also work for cargo-build-system, but untested.

Greetings,
Maxime


[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded to bug-guix <at> gnu.org:
bug#56893; Package guix. (Tue, 02 Aug 2022 20:17:02 GMT) Full text and rfc822 format available.

Message #11 received at 56893 <at> debbugs.gnu.org (full text, mbox):

From: Maxime Devos <maximedevos <at> telenet.be>
To: 1016546 <at> bugs.debian.org, 56893 <at> debbugs.gnu.org
Subject: Re: rust-vergen inserts build timestamps
Date: Tue, 2 Aug 2022 22:16:28 +0200

[Message part 1 (text/plain, inline)]
On 02-08-2022 20:41, Geert Stappers wrote:

> Date: Tue, 2 Aug 2022 19:18:46 +0200, From: Maxime Devos
>> In Guix, I've noticed that rust-vergen embeds build timestamps. There is also
>> a work-around available: <https://issues.guix.gnu.org/56893#1>.
>   
>
> Thanks for reporting the FTBR.
>
> Please update the workaround, so it looks more
> like https://en.wikipedia.org/wiki/Diff#Unified_format
> and can be absured by https://en.wikipedia.org/wiki/Patch_(Unix)
>
>
> Just telling the filename that needs modification would be a great help.

Oops, I did not send the full work-around, here it is:

>          (substitute* (find-files "." "\\.rs$")
>            (("^extern crate chrono;") "extern crate chrono; use 
> chrono::Utc; use chrono::TimeZone;")
>            (("^use chrono::Utc;") "use chrono::Utc; use 
> chrono::TimeZone;")
>            (("\\bUtc::now\\(\\)") "Utc.timestamp(0, 0)"))))))
(Should hopefully be clearer now!)

The important thing here is replacing all instances of Utc::now() 
(across all Rust source files of rust-vergen) by Utc.timestamp(0, 0), 
the rest is just adding the required imports -- I have not made a list 
of all file names.  If you want a list, try "grep -rF Utc::now" or such.

I do not intend to update the workaround, it works fine in Guix and 
frankly porting it to whatever format Debian likes is Debian's concern, 
not Guix', I'm just sharing our workaround as a courtesy to another distro.

Greetings,
Maxime.


[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
Information forwarded to bug-guix <at> gnu.org:
bug#56893; Package guix. (Wed, 03 Aug 2022 08:55:04 GMT) Full text and rfc822 format available.

Message #14 received at 56893 <at> debbugs.gnu.org (full text, mbox):

From: Fabian Grünbichler <f.gruenbichler <at> proxmox.com>
To: 1016546 <at> bugs.debian.org, 56893 <at> debbugs.gnu.org, Maxime Devos
 <maximedevos <at> telenet.be>
Subject: Re: [Pkg-rust-maintainers] Bug#1016546: rust-vergen inserts build
 timestamps
Date: Wed, 03 Aug 2022 09:09:54 +0200

On August 2, 2022 10:16 pm, Maxime Devos wrote:
> On 02-08-2022 20:41, Geert Stappers wrote:
> 
>> Date: Tue, 2 Aug 2022 19:18:46 +0200, From: Maxime Devos
>>> In Guix, I've noticed that rust-vergen embeds build timestamps. There is also
>>> a work-around available: <https://issues.guix.gnu.org/56893#1>.
>>   
>>
>> Thanks for reporting the FTBR.
>>
>> Please update the workaround, so it looks more
>> like https://en.wikipedia.org/wiki/Diff#Unified_format
>> and can be absured by https://en.wikipedia.org/wiki/Patch_(Unix)
>>
>>
>> Just telling the filename that needs modification would be a great help.
> 
> Oops, I did not send the full work-around, here it is:
> 
>>          (substitute* (find-files "." "\\.rs$")
>>            (("^extern crate chrono;") "extern crate chrono; use 
>> chrono::Utc; use chrono::TimeZone;")
>>            (("^use chrono::Utc;") "use chrono::Utc; use 
>> chrono::TimeZone;")
>>            (("\\bUtc::now\\(\\)") "Utc.timestamp(0, 0)"))))))
> (Should hopefully be clearer now!)
> 
> The important thing here is replacing all instances of Utc::now() 
> (across all Rust source files of rust-vergen) by Utc.timestamp(0, 0), 
> the rest is just adding the required imports -- I have not made a list 
> of all file names.  If you want a list, try "grep -rF Utc::now" or such.
> 
> I do not intend to update the workaround, it works fine in Guix and 
> frankly porting it to whatever format Debian likes is Debian's concern, 
> not Guix', I'm just sharing our workaround as a courtesy to another distro.

also note that for debian purposes, we likely want to honor 
SOURCE_DATE_EPOCH instead of setting it to epoch zero.
This bug report was last modified 2 years and 213 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.