Bug #112601 for common-sense: Non-reproducible build due to hash randomization

Tue Mar 01 04:15:01 2016 ribasushi [...] leporine.io - Ticket created

CC:	rt.cpan.org [...] schmorp.de
Subject:	Non-reproducible build due to hash randomization

The module builds differ randomly on newer perls, making it harder to perform proper library audits. A sort() needs to be inserted somewhere within sense.pm.PL. Self-contained reproduction below: rabbit@Ahasver:~$ cpanm --look common::sense --> Working on common::sense Fetching http://www.cpan.org/authors/id/M/ML/MLEHMANN/common-sense-3.74.tar.gz ... OK Entering /home/rabbit/.cpanm/work/1456823239.11276/common-sense-3.74 with /bin/bash rabbit@Ahasver:~/.cpanm/work/1456823239.11276/common-sense-3.74$ perlbrew use 5.20.0 rabbit@Ahasver:~/.cpanm/work/1456823239.11276/common-sense-3.74$ perl Makefile.PL Checking if your kit is complete... Looks good Generating a Unix-style Makefile Writing Makefile for common::sense Writing MYMETA.yml and MYMETA.json rabbit@Ahasver:~/.cpanm/work/1456823239.11276/common-sense-3.74$ make "/home/rabbit/perl5/perlbrew/perls/5.20.0/bin/perl" sense.pm.PL sense.pm cp sense.pod blib/lib/common/sense.pod cp sense.pm blib/arch/common/sense.pm Manifying 2 pod documents rabbit@Ahasver:~/.cpanm/work/1456823239.11276/common-sense-3.74$ mv sense.pm sense.pm1 rabbit@Ahasver:~/.cpanm/work/1456823239.11276/common-sense-3.74$ make "/home/rabbit/perl5/perlbrew/perls/5.20.0/bin/perl" sense.pm.PL sense.pm Skip blib/lib/common/sense.pod (unchanged) cp sense.pm blib/arch/common/sense.pm Manifying 2 pod documents rabbit@Ahasver:~/.cpanm/work/1456823239.11276/common-sense-3.74$ diff -U1 sense.pm1 sense.pm --- sense.pm1 2016-03-01 10:07:51.455751828 +0100 +++ sense.pm 2016-03-01 10:08:02.743639471 +0100 @@ -12,3 +12,3 @@ $^H |= 0x1c820fc0; - @^H{qw(feature___SUB__ feature_state feature_say feature_fc feature_evalbytes feature_unicode feature_switch)} = (1) x 7; + @^H{qw(feature_unicode feature___SUB__ feature_fc feature_evalbytes feature_switch feature_say feature_state)} = (1) x 7; }

Wed Mar 02 00:00:27 2016 schmorp [...] schmorp.de - Correspondence added

Subject:	Re: [rt.cpan.org #112601] Non-reproducible build due to hash randomization
Date:	Wed, 2 Mar 2016 06:00:04 +0100
To:	Peter Rabbitson via RT <bug-common-sense [...] rt.cpan.org>
From:	Marc Lehmann <schmorp [...] schmorp.de>

Hi! Please send your bug report to the official contact/author address for the module in question (or send it to rt.cpan.org@schmorp.de, that's fine as well). What follows is the rationale for this request, you don't have to read it if you don't care. Why is this necessary? rt.cpan.org has many deficiencies which makes it tedious and hard to use, increasing the workload on the people who provide all the perl modules you probably appreciate (and that is really to be avoided - module authors should be able to invest all their time into improving their modules and not fighting with rt.cpan.org's bugs). Still, for some people, rt.cpan.org is useful to have, and some people even like it and really want to use it. That is fine, too. Unfortunately, the designers of rt.cpan.org didn't make their "service" optional - you can neither opt-in nor opt-out of rt.cpan.org as a module author. Just like a spammer, rt.cpan.org forces its "service" (whether wanted or unwanted) on everybody. Just like a spammer, they don't care for the people they actively hurt. Just like a spammer, they don't don't care to fix these issues and make their "service" ethically acceptable. You cannot even configure it to redirect tickets to somewhere else. Unfortunately, ignoring rt.cpan.org is not an option either: for people reporting possible bugs there is no indication that their report will be ignored, and for module authors it means they miss potentially vital bug reports such as yours (and of course it's a great impression if rt.cpan.org has lots of bug reports that are unanswered, making a module look unmaintained when in fact the opposite might be true). I am sorry that this wasted a bit of your time, but please understand that I am just as much a victim as you are - the problem is the unethical stance of the rt.cpan.org providers who force their "service" on everybody. Please redirect your bug report as stated in the beginning of this mail, and please consider petitioning the rt.cpan.org providers to stop their unethical behaviour and allow opt-in, opt-out, or some redirect option. One last issue: many people mail me that this can be "fixed" by including the bugtracker element in my module meta file. This is not true: 1. This field only affects search.cpan.org and maybe similar services. (Many people confuse rt.cpan.org with search.cpan.org for some reason). 2. It doesn't even work (there are still links to rt.cpan.org displayed). 3. Even if search.cpan.org does no longer display the link, it doesn't actually affect rt.cpan.org (and tests have shown that people go to rt.cpan.org regardless) Even *iff* rt.cpan.org would start listening on the bugtracker field, however, it's still wrong. I have a lot of modules, and each time a service like rt.cpan.org comes out, I would have to make dummy releases for all my modules. This not only creates a lot of extra work for me (I take releases very seriously) but also users, who would wonder why there is a new release. Thanks a lot, Marc Lehmann <rt.cpan.org@schmorp.de> Last updated: 2012-04-22

Wed Mar 02 00:00:28 2016 The RT System itself - Status changed from 'new' to 'open'

Sat Mar 05 22:03:54 2016 schmorp [...] schmorp.de - Correspondence added

CC:	rt.cpan.org [...] schmorp.de
Subject:	Re: [rt.cpan.org #112601] Non-reproducible build due to hash randomization
Date:	Sun, 6 Mar 2016 04:03:35 +0100
To:	Peter Rabbitson via RT <bug-common-sense [...] rt.cpan.org>
From:	Marc Lehmann <schmorp [...] schmorp.de>

On Tue, Mar 01, 2016 at 04:15:07AM -0500, Peter Rabbitson via RT <bug-common-sense@rt.cpan.org> wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=112601 > > > The module builds differ randomly on newer perls, making it harder to perform proper library audits. A sort() needs to be inserted somewhere within sense.pm.PL. Self-contained reproduction below:

Hi! Isn't this already a solved problem (PERL_HASH_SEED and friends)? If you want reproducible buildsa, that seems to be the way to go. -- The choice of a Deliantra, the free code+content MORPG -----==- _GNU_ http://www.deliantra.net ----==-- _ generation ---==---(_)__ __ ____ __ Marc Lehmann --==---/ / _ \/ // /\ \/ / schmorp@schmorp.de -=====/_/_//_/\_,_/ /_/\_\

Sat Mar 05 22:07:02 2016 MLEHMANN [...] cpan.org - Status changed from 'open' to 'rejected'

Sat Mar 05 22:22:46 2016 ribasushi [...] leporine.io - Correspondence added

CC:	rt.cpan.org [...] schmorp.de
Subject:	Re: [rt.cpan.org #112601] Non-reproducible build due to hash randomization
Date:	Sun, 6 Mar 2016 04:22:25 +0100
To:	bug-common-sense [...] rt.cpan.org
From:	Peter Rabbitson <ribasushi [...] cpan.org>

On 03/06/2016 04:03 AM, Marc Lehmann via RT wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=112601 > > > On Tue, Mar 01, 2016 at 04:15:07AM -0500, Peter Rabbitson via RT <bug-common-sense@rt.cpan.org> wrote:

>> <URL: https://rt.cpan.org/Ticket/Display.html?id=112601 > >> >> The module builds differ randomly on newer perls, making it harder to perform proper library audits. A sort() needs to be inserted somewhere within sense.pm.PL. Self-contained reproduction below:

> Hi! > > Isn't this already a solved problem (PERL_HASH_SEED and friends)? If you > want reproducible buildsa, that seems to be the way to go. >

I do not disagree with this. If reproducible builds were the endgoal - then yes, it makes sense to freeze the seed in order to help things get into a stable order. In my case however the build is a means-to-an-end: the target is a verbose CI environment which tests a project on a wide array of perl configurations (some of which 5.18+). As it is extremely unlikely an end user will peg their PERL_HASH_SEED, doing so in my test environment would compromise the results. The non-reproducibility of common/sense.pm is not critical, it was simply one of the very few things to jump out when doing environment comparison as shown in the (runnable) "oneliner" in this commit message: https://github.com/dbsrgits/dbix-class/commit/e48635f717. Given the overhead of calling sort once per build is beyond negligible, this ticket was filed. Thanks in advance!

Sun Mar 06 03:01:36 2016 SREZIC [...] cpan.org - Correspondence added

RT-Send-CC:

schmorp [...] schmorp.de, rt.cpan.org [...] schmorp.de

On 2016-03-01 04:15:01, RIBASUSHI wrote: Show quoted text

> The module builds differ randomly on newer perls, making it harder to > perform proper library audits. A sort() needs to be inserted somewhere > within sense.pm.PL.

Related: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778952 (Debian currently patches libcommon-sense-perl using this sort()).

Mon Mar 07 02:45:40 2016 ribasushi [...] leporine.io - Correspondence added

Subject:	Re: [rt.cpan.org #112601] Non-reproducible build due to hash randomization
Date:	Mon, 7 Mar 2016 08:45:16 +0100
To:	rt.cpan.org [...] schmorp.de, bug-common-sense [...] rt.cpan.org
From:	Peter Rabbitson <ribasushi [...] cpan.org>

On 03/07/2016 04:54 AM, Marc Lehmann wrote: Show quoted text

> On Sun, Mar 06, 2016 at 04:22:25AM +0100, Peter Rabbitson <ribasushi@cpan.org> wrote:

>> In my case however the build is a means-to-an-end: the target is a verbose >> CI environment which tests a project on a wide array of perl configurations >> (some of which 5.18+). As it is extremely unlikely an end user will peg >> their PERL_HASH_SEED, doing so in my test environment would compromise the >> results.

> sort could likewise compromise the results, just differently.

Can you elaborate on this? There may be some sort of env-dependent failing in sort that I am not aware of, and I'd like to know. Show quoted text

> This all sounds like a lot of hot air about a non-issue

All I wanted to do is reduce the amount of "special casing" I have to do when analyzing the fingerprints of a typical[1] perllib. Thank you for considering the problem. Cheers [1] A typical perl install can not be expected to have any non-stock env settings present.