Bug#1020867: uclibc: reproducible builds: tarball includes user, group and file mode of build user

Tue, 27 Sep 2022 12:21:15 -0700 

Source: uclibc
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: umask username
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

The source tarball /usr/src/uClibc-ng-1.0.35.tar.xz embeds the username,
userid, groupname, groupid and umask of the build user:

  
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/uclibc.html

  
drwxr-xr-x···0·pbuilder1··(1111)·pbuilder1··(1111)········0·2020-08-29·02:35:19.000000·uClibc-ng-1.0.35/
  vs.
  
drwxrwxr-x···0·pbuilder2··(2222)·pbuilder2··(2222)········0·2020-08-29·02:35:19.000000·uClibc-ng-1.0.35/

The attached patch fixes this by passing arguments to tar in
debian/rules to ensure consistent user, group, uid, gid and file
permissions in the generated tarball.

I have not verified that these changes work correctly in the resulting
packages, only that it builds reproducibly; please be sure to verify
before uploading.

I have not fully tested this patch as my local build environment does
not successfully test umask differences, though I am fairly confident
with this patch applied, uclibc should become reproducible on
tests.reproducible-builds.org!

Thanks for maintaining uclibc!

live well,
  vagrant

From 7463e372afbc7f9d3e7c78788741ded0890c4102 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagr...@reproducible-builds.org>
Date: Tue, 27 Sep 2022 19:09:06 +0000
Subject: [PATCH] debian/rules: Set sort order, user id, group id, and file
 mask when generating tarball.

https://reproducible-builds.org/docs/archives/
---
 debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index c850f66..7a41ebc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -129,7 +129,7 @@ build/uClibc-ng-$(version).tar.xz: build/uClibc-ng-$(version).tar
 build/uClibc-ng-$(version).tar:
 	dh_testdir
 	mkdir -p build
-	tar -cf $@ --mtime="$(BUILD_DATE)" --exclude=./build --transform s@^\.@uClibc-ng-$(version)@ .
+	tar -cf $@ --mtime="$(BUILD_DATE)" --sort=name --owner=0 --group=0 --numeric-owner --mode=go=rX,u+rw,a-s --exclude=./build --transform s@^\.@uClibc-ng-$(version)@ .
 
 binary-%: build-%
 	dh_testdir
-- 
2.37.2

Attachment: signature.asc
Description: PGP signature

Reply via email to