Debian Bug report logs - #1010238
binutils: reproducible builds: source tarball embeds build user and group

version graph

Package: src:binutils; Maintainer for src:binutils is Matthias Klose <doko@debian.org>;

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Tue, 26 Apr 2022 21:45:02 UTC

Severity: normal

Tags: patch

Fixed in version binutils/2.38-4

Done: Matthias Klose <doko@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Matthias Klose <doko@debian.org>:
Bug#1010238; Package src:binutils. (Tue, 26 Apr 2022 21:45:04 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Matthias Klose <doko@debian.org>. (Tue, 26 Apr 2022 21:45:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: submit@bugs.debian.org
Subject: binutils: reproducible builds: source tarball embeds build user and group
Date: Tue, 26 Apr 2022 14:42:27 -0700
[Message part 1 (text/plain, inline)]
Source: binutils
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: username
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

binutils-source embeds the username, uid, group and gid in the binutils
source tarball:

  https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/armhf/diffoscope-results/binutils.html

  /usr/src/binutils/binutils-2.38.tar.xz

  -rw-r--r--···0·pbuilder1··(1111)·pbuilder1··(1111)····18002·2022-01-22·12:14:07.000000·binutils-2.38/COPYING
  vs.
  -rw-r--r--···0·pbuilder2··(2222)·pbuilder2··(2222)····18002·2022-01-22·12:14:07.000000·binutils-2.38/COPYING


The attached patch fixes this by passing arguments to tar in
debian/rules to ensure consistent user, group, uid and gid in the
generated tarballs.


Unfortunately, other issues prevent binutils from building reproducibly,
but this should at least reduce the differences, making it easier to fix
remaining issues.


Thanks for maintaining binutils!


live well,
  vagrant

[0001-debian-rules-Use-consistent-user-and-group-when-gene.patch (text/x-diff, inline)]
From 30c8ddb48925121e20e53039ca60968764f6b874 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Tue, 26 Apr 2022 20:25:08 +0000
Subject: [PATCH] debian/rules: Use consistent user and group when generating
 source tarball.

https://reproducible-builds.org/docs/archives/
---
 debian/rules | 1 +
 1 file changed, 1 insertion(+)

diff --git a/debian/rules b/debian/rules
index 7e856a63..c795d87b 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1406,6 +1406,7 @@ endif # ifndef BACKPORT
 		xargs -0r touch --no-dereference --date='$(BUILD_DATE)' && \
 		find $(source_files) -type f -print0 | LC_ALL=C sort -z | \
 		tar --null -T - -c --xz --exclude=CVS --mode=go=rX,u+rw,a-s \
+		--owner=0 --group=0 --numeric-owner \
 		--xform='s=^[^/]*\/=binutils-$(VERSION)/=' \
 		-f $(pwd)/$(d_src)/$(PF)/src/binutils/binutils-$(VERSION).tar.xz \
 		$(source_files)
-- 
2.30.2


[signature.asc (application/pgp-signature, inline)]

Reply sent to Matthias Klose <doko@debian.org>:
You have taken responsibility. (Mon, 02 May 2022 21:27:05 GMT) (full text, mbox, link).

Notification sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer. (Mon, 02 May 2022 21:27:05 GMT) (full text, mbox, link).

Message #10 received at 1010238-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1010238-close@bugs.debian.org
Subject: Bug#1010238: fixed in binutils 2.38-4
Date: Mon, 02 May 2022 21:24:19 +0000
Source: binutils
Source-Version: 2.38-4
Done: Matthias Klose <doko@debian.org>

We believe that the bug you reported is fixed in the latest version of
binutils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1010238@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Klose <doko@debian.org> (supplier of updated binutils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 02 May 2022 22:50:25 +0200
Source: binutils
Architecture: source
Version: 2.38-4
Distribution: unstable
Urgency: medium
Maintainer: Matthias Klose <doko@debian.org>
Changed-By: Matthias Klose <doko@debian.org>
Closes: 1010238
Changes:
 binutils (2.38-4) unstable; urgency=medium
 .
   * Update from the binutils 2.38 branch:
     - Fix PR ld/29087, x86: invalid relocation against protected symbol.
     - s390: Add DT_JMPREL pointing to .rela.[i]plt with static-pie.
     - Fix PR ld/22263, s390: Avoid dynamic TLS relocs in PIE.
     - Fix PR libctf/28933: ld: diagnose corrupted CTF header cth_strlen.
     - Fix PR 28885.
     - PR28959, obdump doesn't disassemble mftb instruction.
     - PowerPC64 DT_RELR relative reloc addresses.
   * Fix reproducible builds: source tarball embeds build user and group.
     Closes: #1010238.
Checksums-Sha1:
 1547820e2976cfbea98b4ca582ec7708be7ad323 11276 binutils_2.38-4.dsc
 21afc015d2f1130ebf5f8e24ec488595da4f9233 273624 binutils_2.38-4.debian.tar.xz
 676e1ebe5e028d7d43aad98b66b996a0bd257292 6392 binutils_2.38-4_source.buildinfo
Checksums-Sha256:
 b87e5c78f73473ca6d28dd3ceec500179bb7f493cafcc8f9fbaf360c048c0aa5 11276 binutils_2.38-4.dsc
 f331fceb16096d611c6f3ad2235476bf845727c65fdbf6a89693e3c68404fbb1 273624 binutils_2.38-4.debian.tar.xz
 63704d55519f66530e76340f749988fe1e1f44ed167dcf625bf3b425a75a3091 6392 binutils_2.38-4_source.buildinfo
Files:
 edcc1282865f4800b439368f0d2aa5d1 11276 devel optional binutils_2.38-4.dsc
 286b82aacbbe3ae81a1ee9d960f9cc22 273624 devel optional binutils_2.38-4.debian.tar.xz
 28e642e0b15309c4203ea9627ce170bb 6392 devel optional binutils_2.38-4_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEE1WVxuIqLuvFAv2PWvX6qYHePpvUFAmJwRl4QHGRva29AZGVi
aWFuLm9yZwAKCRC9fqpgd4+m9TV+EACY3YkWJjcaFOeYmG0+gWSJSra3eeu+N666
AHf/iQyyo4PN8G906JHJBiWYO0N8Mz9M71SH5+MobWxt2M3daLrp/+heZxomGtXb
DRq9LJq9c2fmr8/KlnafbfYgKbriTmHmeBVtWA6cHqQHlInPfv68KlQXggjmTrk+
WyDgRpwtqQ21OrPCbqxTwNptsZLEu1i2Uz3gUkhQgTCw1xmsl4ld06yzjdozp1BW
3Qobitov/5OAaFQeqMtQc9VfM9S6IHTDsxu94JbDiPJFXqbhvSeCLdSJ2T2hWC4i
TUCD58kq9a48Iz+57QB3vvJ/Ia4/5RWg9JTVD6Ji3Dohv9nCzRD+ss+gk3IQfAoz
W5OEKjpz3urcnTbIoWaJYo7L8Iwz9TPFLKGYwI/oDueTPG93LyNOhmkEy1eosnKs
+oyL/Bdp5QUzjUlU56UvJwO35qEYNLEGIPUuS9hbYV2HK9qc9vgi46lXUVW8JKZs
Tq44gGDDs71g2z64JodyYkvfGpBEenrUQnXaVISyinX/vGlYWWQ5JPaz505bSsLI
hT5BxcFWRudwy+mpSovHW+0G6p8ERuIHEjIUhvFJHmqZGTmnkyPA4jfV7ZPH6mM+
iyPSXcq/3BPsuZVeY+xJG6XTPALs3lKr14XDdq2YRpFwG4BIdtoQu4QgeE7HbZBq
YrKR24rRWw==
=a2gl
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 02 Jun 2022 07:26:07 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 09:18:50 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.