Your message dated Fri, 17 Jul 2020 06:48:48 +0000
with message-id <[email protected]>
and subject line Bug#963467: fixed in qemu 1:5.0-8
has caused the Debian Bug report #963467,
regarding qemu-system-data: embeds hostname and timestamp in hppa-firmware.img
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
963467: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963467
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: qemu-system-data
Version: 1:3.1+dfsg-8+deb10u5
Severity: normal
Tags: patch
User: [email protected]
Usertags: timestamps hostname
X-Debbugs-Cc: [email protected]
The attached patch removes the hostname of the build machine from the
version used and sets the timestamp in the version to use the value
provided by SOURCE_DATE_EPOCH:
https://reproducible-builds.org/docs/source-date-epoch/
live well,
vagrant
From: Vagrant Cascadian <[email protected]>
Date: Sun, 21 Jun 2020 19:38:39 +0000
X-Dgit-Generated: 1:5.0-6~0~20200621~20 92cdacf1c512114ca313800748a5fc162775f51e
Subject: roms/seabios-hppa: Use consistant date and remove hostname.
Two issues break reproducibility; the time and hostname get embedded
in the resulting seabios binary.
Simply drop the hostname from the embedded version string, as it
shouldn't be needed in Debian package builds.
Use the SOURCE_DATE_EPOCH environment variable to set the build date
rather than the current time:
https://reproducible-builds.org/docs/source-date-epoch/
---
--- qemu-5.0.orig/roms/seabios-hppa/scripts/buildversion.py
+++ qemu-5.0/roms/seabios-hppa/scripts/buildversion.py
@@ -125,9 +125,8 @@ def main():
if not ver:
ver = "?"
if not cleanbuild:
- btime = time.strftime("%Y%m%d_%H%M%S")
- hostname = socket.gethostname()
- ver = "%s-%s-%s" % (ver, btime, hostname)
+ btime = time.strftime("%Y%m%d_%H%M%S", time.gmtime(int(os.environ.get('SOURCE_DATE_EPOCH', time.time()))))
+ ver = "%s-%s" % (ver, btime)
write_version(outfile, ver + options.extra, toolstr)
if __name__ == '__main__':
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: qemu
Source-Version: 1:5.0-8
Done: Michael Tokarev <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qemu, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <[email protected]> (supplier of updated qemu package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 Jul 2020 09:12:43 +0300
Source: qemu
Architecture: source
Version: 1:5.0-8
Distribution: unstable
Urgency: medium
Maintainer: Debian QEMU Team <[email protected]>
Changed-By: Michael Tokarev <[email protected]>
Closes: 961297 963466 963467 963470 963472
Changes:
qemu (1:5.0-8) unstable; urgency=medium
.
* d/control: rdma is linux-only, do not enable it on kfreebsd & hurd
* add comment about virtiofsd conditional to d/qemu-system-common.install
Now qemu FTBFS on sparc64 since virtiofsd is not built due to missing
seccomp onn that platform, we should either make virtiofsd conditional
(!sparc64) or fix seccomp on sparc64 and build-depend on it
* openbios-use-source_date_epoch-in-makefile.patch (Closes: #963466)
* seabios-hppa-use-consistant-date-and-remove-hostname.patch (Closes:
#963467)
* slof-remove-user-and-host-from-release-version.patch (Closes: #963472)
* slof-ensure-ld-is-called-with-C-locale.patch (Closes: #963470)
* update previous changelog, mention #945997
* reapply CVE-2020-13253 fixed from upstream:
sdcard-simplify-realize-a-bit.patch (preparation for the next patch)
sdcard-dont-allow-invalid-SD-card-sizes.patch (half part of CVE-2020-13253)
sdcard-update-coding-style-to-make-checkpatch-happy.patch (preparational)
sdcard-dont-switch-to-ReceivingData-if-address-is-in..-CVE-2020-13253.patch
Closes: #961297, CVE-2020-13253
Checksums-Sha1:
518767839b45b2f7a28857546e270b89f55b409a 6756 qemu_5.0-8.dsc
335c182165a24f993fc5e941a1e6cab0de8a6a83 105924 qemu_5.0-8.debian.tar.xz
ea1712c6f9176d88dbfffcf25521d1af988dca4b 9226 qemu_5.0-8_source.buildinfo
Checksums-Sha256:
6d84e25b2cc7b413ff406764cc0d61601fb80eff3b7161cc359e0d91b7758f81 6756
qemu_5.0-8.dsc
d09e7cb9da6afca79178c7a911e6fc869e7cb856363945a67ca70d3feed557d8 105924
qemu_5.0-8.debian.tar.xz
f74d30f0e84b47b3fabb1b4046a1df84dbec58bc494d008e05f3f3665bcae1a5 9226
qemu_5.0-8_source.buildinfo
Files:
bd899cdb5010ddd89dc7660988b0119e 6756 otherosfs optional qemu_5.0-8.dsc
65674b78118209703608f57f447d37c8 105924 otherosfs optional
qemu_5.0-8.debian.tar.xz
ebe724d52bae248f60c6de33b8423919 9226 otherosfs optional
qemu_5.0-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAl8RQvoPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZDE8IAJtRw8oEzCkzTDXKTcoGws5YCwmlP+FXqXCG
7RMLlc417DnQx2wWMzw/zqbSHabyK/CE8XIKEzD3ENZioUkYWRTcMop9+jPvQOMM
qo7/n1Ri3N0tFeNPLF3+/7Zo0k1L169F4czTN/KdOe6XwLSmGeF8RXocd9ZESY7T
pQpOk1Cbnf5qTXnK2Na6rNR84idZrj69QeetJikz0qVu4yjHUQXokSDfhEitfLfj
UMeMyCSZblywH5hc1cM5ko9uAcQ0GxiWGcNcHLKjDC5RNE9e9aki9YrG/CyN0iXr
Fci/rOElOK2YBEteNuvWVhawliViSORTrTxfEeM2ObTk2h2pZYE=
=UIBF
-----END PGP SIGNATURE-----
--- End Message ---
