Hi @danielsh-guest,

I saw in Cyrus-Imapd reproducible report that you produced a patch to help reproducilility of this package. Sadly your patch was on anonscm.debian.org which is done now (I'm now maintainer of Cyrus-Imapd).

Could you give me your patch ?

Here is the reproducible comment:

[...] The only difference between these two sets is the location of chartables_iso_8859_1.

The static arrays are written by lib/mkchartable.pl in argv order [1], where argv is the shell glob «lib/charset/*.t» [2], which expands differently in the "C" v. "fr_CH.UTF-8" locales.

Hence, sort()ing the arguments in the Perl script should fix this issue: https://anonscm.debian.org/cgit/users/danielsh-guest/reproducible-patches.git/plain/cyrus-imapd-2.5.9-2.diff

@yadd Sure, here it is, though as you can see there's nothing surprising about it. The important thing is to make sure that sort is locale-agnostic — that is, that it treats the arguments as bytes, rather than characters. Sorry about that dead link; I'll fix it in a moment.

diff --git a/debian/patches/0018-reproducibility.patch b/debian/patches/0018-reproducibility.patch
new file mode 100644
index 0000000..b15f6e0
--- /dev/null
+++ b/debian/patches/0018-reproducibility.patch
@@ -0,0 +1,10 @@
+--- a/lib/mkchartable.pl
++++ b/lib/mkchartable.pl
+@@ -55,6 +55,7 @@
+ GetOptions( 'map|m=s'    => \@maps,      #strings
+             'aliases|a=s' => \$aliasfile, #string
+             'output|o=s' => \$output);    #string
++@ARGV = sort @ARGV;
+ open (OUTPUT, ">$output");
+ printheader(\@maps, \@ARGV);
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 8457a83..ba5ebf8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@
 0015-Fix-extra-libpci-in-SNMP_LIBS.patch
 0016-Use-UnicodeData.txt-from-system.patch
 0017-libisieve-has-to-be-noinst_LTLIBRARY-for-PIC-code-to.patch
+0018-reproducibility.patch

@danielsh-guest: thanks ! Are you sure this will work ? @ARGV does not contain map files at this step (transfered in @maps):

diff --git a/lib/mkchartable.pl b/lib/mkchartable.pl
index 12a0830..c415ac2 100644
--- a/lib/mkchartable.pl
+++ b/lib/mkchartable.pl
@@ -56,6 +56,8 @@ GetOptions( 'map|m=s'    => \@maps,      #strings
             'aliases|a=s' => \$aliasfile, #string
             'output|o=s' => \$output);    #string
 open (OUTPUT, ">$output");
+@maps = sort @maps;
+@ARGV = sort @ARGV;
 printheader(\@maps, \@ARGV);
 
 # first we parse the chartable unicode mappings and the fixes

I think it will work with or without sorting @maps.

The root problem here is that the content of the binary package is directly affected by the order of positional arguments (or, at least, this was the case in 2016 when I wrote the package notes; I don't immediately see it in the current diffoscope output).

The order of positional arguments is the order of filenames in the expansion of the *.t glob. That order depends on the locale. Therefore, the script should sort positional arguments — i.e., what remains in @ARGV after Getopt::Long removed --options and their arguments — in a locale-independent fashion.

As to @maps, mkchartable.pl is invoked as:

       $(AM_V_GEN)perl $(top_srcdir)/lib/mkchartable.pl -m $(top_srcdir)/lib/charset/unifix.txt -m $(top_srcdir)/lib/charset/UnicodeData.txt -a $(top_srcdir)/lib/charset/aliases.txt -o $@ $(top_srcdir)/lib/charset/*.t || (rm -f $@ && exit 1)

so @maps will always contain the same three values, in the same order: unifix.txt, UnicodeData.txt, aliases.txt. Hence, there is no reason to sort it. It wouldn't be wrong, though; it's merely not necessary for making cyrus-imapd reproducible.

Do you already have a setup for locally testing reproducibility, such as the new, sbuild-based setup documented on the wiki? If you don't, you can ask on #debian-reproducible for someone to test the patch. (I'd test it myself, but I don't have reprotest set up nowadays.) Note that the package will not be made reproducible solely by this patch: for example, the diff of the .rodata section (there's just one of those in the diffoscope output) shows a /bin/rm v. /usr/bin/rm difference, which mkchartable.pl isn't responsible for.

OK, I reported this upstream, thanks!

You're welcome! Got a link to the upstream discussion handy? I'd be interested to follow.

@danielsh-guest: discussion link

Thanks :)

Hi guys,

Can you look for SCRAM-SHA-1 problem and add all support?

• https://bugs.exim.org/show_bug.cgi?id=2349#c6

Cyrus SASL has support of:

• SCRAM-SHA-1
• SCRAM-SHA-1-PLUS
• SCRAM-SHA-224
• SCRAM-SHA-224-PLUS
• SCRAM-SHA-256
• SCRAM-SHA-256-PLUS
• SCRAM-SHA-384
• SCRAM-SHA-384-PLUS
• SCRAM-SHA-512
• SCRAM-SHA-512-PLUS

Source:

• https://github.com/cyrusimap/cyrus-sasl/commits/master
• https://cyrusimap.org/sasl/sasl/authentication_mechanisms.html

Thanks in advance.

cc @ondrej