Source: refpolicy Version: 2:2.20221101-4 Severity: normal Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: username X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
The source tarball /usr/src/selinux-policy-src.tar.zst embeds the username, userid, groupname and groupid of the build user: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/refpolicy.html drwxr-xr-x···0·pbuilder1··(1111)·pbuilder1··(1111)········0·2023-01-29·04:07:05.000000·selinux-policy-src/ vs. drwxr-xr-x···0·pbuilder2··(2222)·pbuilder2··(2222)········0·2023-01-29·04:07:05.000000·selinux-policy-src/ The attached patch fixes this by passing arguments to tar in debian/rules to ensure consistent user, group, uid and gid in the generated tarball. Historically, most versions of refpolicy did not have this issue, so this appears to be a recent regression (possibly triggered by a switch to "rules-requires-root: no"?): https://tests.reproducible-builds.org/debian/history/refpolicy.html According to my local tests, with this patch applied refpolicy should become reproducible on tests.reproducible-builds.org! Thanks for maintaining refpolicy! live well, vagrant
From 7b691da36a702d912cfd647f50cdeed5ca7bd0c6 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian <vagr...@reproducible-builds.org> Date: Mon, 30 Jan 2023 19:49:41 +0000 Subject: [PATCH] debian/rules: Pass arguments to tar to use a consistent uid and gid. Otherwise the user name, user id, group name and group id are recorded in selinux-policy-src.tar.zst shipped in the package. https://reproducible-builds.org/docs/archives/ --- debian/rules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index 32d70d6..d7feee3 100755 --- a/debian/rules +++ b/debian/rules @@ -166,6 +166,6 @@ install-src: conf-src rm -rf selinux-policy-src/support/__pycache__/; \ find selinux-policy-src -type f -print0 | xargs -0r chmod 0644; \ find selinux-policy-src -type d -print0 | xargs -0r chmod 0755; \ - TZ=UTC tar cf - --sort=name --mtime="$(BUILD_DATE)" selinux-policy-src | zstd -9 > $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.zst) + TZ=UTC tar cf - --sort=name --mtime="$(BUILD_DATE)" --owner=0 --group=0 --numeric-owner selinux-policy-src | zstd -9 > $(CURDIR)/debian/tmp/usr/src/selinux-policy-src.tar.zst) rm -rf $(CURDIR)/debian/tmp/etc/selinux/default/src/ touch $@ -- 2.30.2
signature.asc
Description: PGP signature