Hi, since this bug has not seen maintainer action for several months now and because fontconfig is one of the last remaining bits that make a Priority:Standard chroot unreproducible, I'd like to propose to NMU fontconfig with the attached patch.
Essentially, I took the patch by Chris Lamb and modified it so that uuid_generate_sha1() will be used if SOURCE_DATE_EPOCH is set. The original behaviour is retained without SOURCE_DATE_EPOCH being set. This should be the solution with zero impact on normal installations while making those installations that care (like reproducible chroot or image creation) reproducible. If I don't get a NACK from you on this, I plan to upload to DELAYED/10 in two weeks. Thanks! cheers, josch
diff -Nru fontconfig-2.13.1/debian/changelog fontconfig-2.13.1/debian/changelog --- fontconfig-2.13.1/debian/changelog 2020-05-15 12:55:02.000000000 +0200 +++ fontconfig-2.13.1/debian/changelog 2021-12-27 20:53:49.000000000 +0100 @@ -1,3 +1,10 @@ +fontconfig (2.13.1-4.3) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Make cache files reproducible (closes: #864082) + + -- Johannes Schauer Marin Rodrigues <jo...@debian.org> Mon, 27 Dec 2021 20:53:49 +0100 + fontconfig (2.13.1-4.2) unstable; urgency=medium * Non-maintainer upload. diff -Nru fontconfig-2.13.1/debian/patches/0001-Make-the-cache-filenames-determinstic.patch fontconfig-2.13.1/debian/patches/0001-Make-the-cache-filenames-determinstic.patch --- fontconfig-2.13.1/debian/patches/0001-Make-the-cache-filenames-determinstic.patch 1970-01-01 01:00:00.000000000 +0100 +++ fontconfig-2.13.1/debian/patches/0001-Make-the-cache-filenames-determinstic.patch 2021-12-27 20:53:49.000000000 +0100 @@ -0,0 +1,49 @@ +From 70565e0f73d116a2a9523146228efcca1e76b016 Mon Sep 17 00:00:00 2001 +From: Chris Lamb <ch...@chris-lamb.co.uk> +Date: Mon, 29 Oct 2018 15:48:51 -0400 +Subject: [PATCH] Make the cache filenames determinstic + +Whilst working on the Reproducible Builds[0] effort, we noticed that +fontconfig generates cache files with unreproducible/non-deterministic +filenames. + +This is a supplement to the changes added in f098adac54ab where we +ensured that the checksums themselves were determistic but the files +that were stored in the cache directory are currently being given +"random" names via uuid(3)'s uuid_generate_random function, thus +any images that generate such files have different contents on every +build. + +This patch changes the behaviour of the cache directory filename +calculation to be based on the "source" directory name, rather than +being entirely random. + +An alternative solution could be to continue to use the previous +uuid_generate_random function but use this alternative codepath if the +SOURCE_DATE_EPOCH[1] environment variable was determined to be +present via getenv(3). + +This work was sponsored by Tails[2] and tracked in Debian in #864082[3]. + + [0] https://reproducible-builds.org/ + [1] https://reproducible-builds.org/specs/source-date-epoch/ + [2] https://tails.boum.org/ + [3] https://bugs.debian.org/864082 +--- + src/fccache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/fccache.c ++++ b/src/fccache.c +@@ -101,7 +101,10 @@ FcDirCacheCreateUUID (FcChar8 *dir, + ret = FcFalse; + goto bail3; + } +- uuid_generate_random (uuid); ++ if (getenv("SOURCE_DATE_EPOCH")) ++ uuid_generate_sha1 (uuid, target, target, strlen(target)); ++ else ++ uuid_generate_random (uuid); + if (force) + hash_add = FcHashTableReplace; + else diff -Nru fontconfig-2.13.1/debian/patches/series fontconfig-2.13.1/debian/patches/series --- fontconfig-2.13.1/debian/patches/series 2020-05-13 12:18:40.000000000 +0200 +++ fontconfig-2.13.1/debian/patches/series 2021-12-27 20:53:43.000000000 +0100 @@ -6,3 +6,4 @@ 0001-fix-memory-leaks.patch 0002-more-memory-leaks.patch 0003-Set-name_mapping-to-NULL-after-freeing.patch +0001-Make-the-cache-filenames-determinstic.patch
signature.asc
Description: signature