Bug 1206342 - python-maturin reproducible builds
python-maturin reproducible builds
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other
Current
Other All
: P5 - None : Normal (vote)
: ---
Assigned To: Mia Herkt
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-12-12 17:39 UTC by Bernhard Wiedemann
Modified: 2022-12-13 07:56 UTC (History)
1 user (show)

See Also:
Found By: Development
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Bernhard Wiedemann 2022-12-12 17:39:07 UTC
While working on reproducible builds for openSUSE, I found that
our python-maturin varies from 8 random bytes
introduced in
/usr/bin/maturin-3.8 _ZN5ahash12random_state4SEED17ha63d635427cbc526E
probably from vendor/ahash-0.3.8/src/random_state.rs
that gets pulled in by

chumsky/Cargo.lock-[[package]]
chumsky/Cargo.lock-name = "ahash"
chumsky/Cargo.lock:version = "0.3.8"

rfc2047-decoder/Cargo.lock-[[package]]
rfc2047-decoder/Cargo.lock-name = "ahash"
rfc2047-decoder/Cargo.lock:version = "0.3.8"

When I read https://github.com/tkaitchuck/aHash/blob/master/src/random_state.rs correctly, the current version should not have this problem.

I think, this could be solved by updating the vendor.tar.xz to only use the newer ahash version.
Comment 1 Mia Herkt 2022-12-12 19:36:29 UTC
I’ve made an attempt (sr#1042453) and left a comment on the chumsky issue tracker. They’ve updated the dependency in git master, but there’s no release containing that change yet.
Comment 2 OBSbugzilla Bot 2022-12-12 20:05:02 UTC
This is an autogenerated message for OBS integration:
This bug (1206342) was mentioned in
https://build.opensuse.org/request/show/1042453 Factory / python-maturin
Comment 3 Bernhard Wiedemann 2022-12-13 07:53:24 UTC
I ran my tests on devel:languages:python/python-maturin
and it looks good.
Thanks for this quick fix.
Comment 4 Mia Herkt 2022-12-13 07:56:28 UTC
Closing as fixed, then.

I have a lot of things to say about Cargo and the Rust ecosystem