Skip to content

Source of unreproducibility and "security issue"

Description:

This package is not reproducible because at build time the Makefile.PL modifies the _entropy_per_byte variable in Config.pm. Of course, this value depends on the host where the script is run, so different rebuilders will get different values.

In addition, I think this value should be estimated on the machine where the script is actually used, not in the machine where the package was created. I would not expect that anyone is using this for anything security/crypt related, but since this is in [extra], it would be nice to fix it. A higher estimation from the build machine compared to the machine where the script is run would lead to bad "random" numbers.

I don't know how to solve this. Perhaps we could add a post_install script that reruns calc_entropy and modifies the Config.pm?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information