Debian Bug report logs -
#1009981
rsync: please make the build reproducible
Reported by: "Chris Lamb" <lamby@debian.org>
Date: Thu, 21 Apr 2022 16:51:01 UTC
Severity: wishlist
Tags: patch
Found in version rsync/3.2.4-1
Fixed in version rsync/3.2.5-1
Done: Samuel Henrique <samueloph@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Paul Slootman <paul@debian.org>:
Bug#1009981; Package src:rsync.
(Thu, 21 Apr 2022 16:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Chris Lamb" <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Paul Slootman <paul@debian.org>.
(Thu, 21 Apr 2022 16:51:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: rsync
Version: 3.2.4-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
Hi,
Whilst working on the Reproducible Builds effort [0] we noticed that
rsync could not be built reproducibly.
This was because the manpage generation used the current date for the
manual page header.
A patch is attached that will use SOURCE_DATE_EPOCH if available.
[0] https://reproducible-builds.org/
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
[rsync.diff.txt (text/plain, attachment)]
Message sent on
to "Chris Lamb" <lamby@debian.org>:
Bug#1009981.
(Mon, 25 Apr 2022 19:00:03 GMT) (full text, mbox, link).
Message #8 received at 1009981-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1009981 in rsync reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian/rsync/-/commit/5c820f8f529ab8a41b62d5543256f679b5983cc9
------------------------------------------------------------------------
d/p/reproducible_manpages.patch: New patch to fix reproducibility (closes: #1009981)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1009981
Added tag(s) pending.
Request was from Samuel Henrique <noreply@salsa.debian.org>
to 1009981-submitter@bugs.debian.org.
(Mon, 25 Apr 2022 19:00:03 GMT) (full text, mbox, link).
Reply sent
to Samuel Henrique <samueloph@debian.org>:
You have taken responsibility.
(Tue, 16 Aug 2022 11:48:05 GMT) (full text, mbox, link).
Notification sent
to "Chris Lamb" <lamby@debian.org>:
Bug acknowledged by developer.
(Tue, 16 Aug 2022 11:48:05 GMT) (full text, mbox, link).
Message #15 received at 1009981-close@bugs.debian.org (full text, mbox, reply):
Source: rsync
Source-Version: 3.2.5-1
Done: Samuel Henrique <samueloph@debian.org>
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1009981@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Samuel Henrique <samueloph@debian.org> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Aug 2022 11:03:48 +0100
Source: rsync
Architecture: source
Version: 3.2.5-1
Distribution: unstable
Urgency: medium
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Samuel Henrique <samueloph@debian.org>
Closes: 1009981 1016543
Changes:
rsync (3.2.5-1) unstable; urgency=medium
.
* New upstream version 3.2.5
- Added some file-list safety checking that helps to ensure that a rogue
sending rsync can't add unrequested top-level names and/or include
recursive names that should have been excluded by the sender. These
extra safety checks only require the receiver rsync to be updated. When
dealing with an untrusted sending host, it is safest to copy into a
dedicated destination directory for the remote content (i.e. don't copy
into a destination directory that contains files that aren't from the
remote host unless you trust the remote host)
(closes: #1016543, CVE-2022-29154).
- The build date that goes into the manpages is now based on the
developer's release date, not on the build's local-timezone
interpretation of the date (closes: #1009981)
Checksums-Sha1:
061ba53c8da88009921a89dc64c639f9858a09b4 2276 rsync_3.2.5-1.dsc
26baded8871b9e2406add210cdbfa744c94642d2 1129957 rsync_3.2.5.orig.tar.gz
5e066f34f9846b70039af0ce868b2edb667b2d98 195 rsync_3.2.5.orig.tar.gz.asc
4e5a8c93f7a44da9a83b17e2c3e1995fb938affe 25612 rsync_3.2.5-1.debian.tar.xz
b9005c98a54f3c7d7698bffc78becc37ef7b6374 7006 rsync_3.2.5-1_amd64.buildinfo
Checksums-Sha256:
9507370fefafbebedb5970d5720b75edab7c56d263b3775cbc69d02421f8ba5a 2276 rsync_3.2.5-1.dsc
2ac4d21635cdf791867bc377c35ca6dda7f50d919a58be45057fd51600c69aba 1129957 rsync_3.2.5.orig.tar.gz
bd2ea7f1a057043c09797c18a5a18a78dcf453e11fbbdf8354a39eca1e67c9cc 195 rsync_3.2.5.orig.tar.gz.asc
b5494c5138dd35aaad2c8939fdc49ca997baa618c3583834eb4e378e9fd0194d 25612 rsync_3.2.5-1.debian.tar.xz
786af16f711ca89eb74923a8dbf67bde5130dfcca009d78cbeea99d0c179f6b8 7006 rsync_3.2.5-1_amd64.buildinfo
Files:
de9e68d24b8f3c5bbd70340df7d6f423 2276 net optional rsync_3.2.5-1.dsc
2fd61dfd76d39098c3be6eb5d54bb633 1129957 net optional rsync_3.2.5.orig.tar.gz
ed2438496f401c3eff8979e3263e2515 195 net optional rsync_3.2.5.orig.tar.gz.asc
28cc7d3e1bd45f63894ff37f7f17abfb 25612 net optional rsync_3.2.5-1.debian.tar.xz
428c1f840fccf91a82897cfb1a3c3b22 7006 net optional rsync_3.2.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEBdtqg34QX0sdAsVfu6n6rcz7RwcFAmL7cF0ACgkQu6n6rcz7
RwdaQQ/+LYFjs9dFSFZz/QorZ5urdlwTJMQON4opV6nCxBLWXWPXOyTXReA+aVjD
QG6aMDlms7BE0AB3cWhb6i5UySuTqxrbTesRJTh2jf+Sc3HL3jPdKL5s8YJ0Q/bU
Elaz/X+DC+mB8FnxrBJgPdMjhqQsARDXiAME28WwiOm5NjjLnqZoJZTp0fo6T42O
DTLx2146K+DCTbAUMwBc7+0Awx4WF+Grq62TX6a3WXP43egSmdHaqpKHmQN1emdw
tK6FngjxlhBm3yPOHhvJW5oylNEXnQ1KK7QPYi0RyjU0e/kh+nMUQefQK8ncxNDf
LHE3C6kQh9Ark3qFAKU+hUIjKXaMQkrf4tVwHxFZFAke70jC6p9In2aJorNa5ppM
aU85vMNshav99VDVdenevIv8P16yM5xResmK3aabgIXzCMYF2tv9Ofod49F2DT3L
rOEL6F5E2PHyjAgLNV66GTPNKNtEhv1B4asbRx/ZsHtf3CXLDiRqDT5+V7v7zlNu
XddRFM6bJH/GRS8ScACfdPlKFuQxCfvj+XSZQQsw3bWM2pIswDl3hMR7wmsLu+N9
PN5uwXljxqjFvof9/sNGcYeyOkRQRVbsTB/oO5FFItZ06YIqvM3wpJCjHMm1uMKa
yqw3wQDLku7AXWFn6XpTAB1WrvfocYfWpPykTlO+VykwOrxV69c=
=dVEm
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 13 Oct 2022 07:28:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 17 10:41:37 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.