Bug#1030057: refpolicy: reproducible builds: tarball embeds user/group/uid/gid of build user

[Vagrant Cascadian]

Source: refpolicy
Version: 2:2.20221101-4
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: username
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

The source tarball /usr/src/selinux-policy-src.tar.zst embeds the
username, userid, groupname and groupid of the build user:

  
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/refpolicy.html

  
drwxr-xr-x···0·pbuilder1··(1111)·pbuilder1··(1111)········0·2023-01-29·04:07:05.000000·selinux-policy-src/
  vs.
  
drwxr-xr-x···0·pbuilder2··(2222)·pbuilder2··(2222)········0·2023-01-29·04:07:05.000000·selinux-policy-src/

The attached patch fixes this by passing arguments to tar in
debian/rules to ensure consistent user, group, uid and gid in the
generated tarball.

Historically, most versions of refpolicy did not have this issue, so
this appears to be a recent regression (possibly triggered by a switch
to "rules-requires-root: no"?):

  https://tests.reproducible-builds.org/debian/history/refpolicy.html

According to my local tests, with this patch applied refpolicy should
become reproducible on tests.reproducible-builds.org!

Thanks for maintaining refpolicy!

live well,
  vagrant

From 7b691da36a702d912cfd647f50cdeed5ca7bd0c6 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagr...@reproducible-builds.org>
Date: Mon, 30 Jan 2023 19:49:41 +0000
Subject: [PATCH] debian/rules: Pass arguments to tar to use a consistent uid
 and gid.

Otherwise the user name, user id, group name and group id are recorded
in selinux-policy-src.tar.zst shipped in the package.

https://reproducible-builds.org/docs/archives/
---
 debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index 32d70d6..d7feee3 100755
--- a/debian/rules
+++ b/debian/rules
@@ -166,6 +166,6 @@ install-src: conf-src
 	  rm -rf selinux-policy-src/support/__pycache__/; \
 	  find selinux-policy-src -type f -print0 | xargs -0r chmod 0644; \
 	  find selinux-policy-src -type d -print0 | xargs -0r chmod 0755; \
-	  TZ=UTC tar cf - --sort=name --mtime="$(BUILD_DATE)" selinux-policy-src | zstd -9 > $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.zst)
+	  TZ=UTC tar cf - --sort=name --mtime="$(BUILD_DATE)" --owner=0 --group=0 --numeric-owner selinux-policy-src | zstd -9 > $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.zst)
 	rm -rf               $(CURDIR)/debian/tmp/etc/selinux/default/src/
 	touch $@
-- 
2.30.2

signature.asc
Description: PGP signature