Debian Bug report logs - #896520
lzop: embeds timestamp and umask lzo archives

version graph

Package: lzop; Maintainer for lzop is Stephen Kitt <skitt@debian.org>; Source for lzop is src:lzop (PTS, buildd, popcon).

Reported by: Vagrant Cascadian <vagrant@debian.org>

Date: Sun, 22 Apr 2018 03:51:01 UTC

Severity: wishlist

Found in version lzop/1.03-4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, vagrant@debian.org, Peter Eisentraut <petere@debian.org>:
Bug#896520; Package lzop. (Sun, 22 Apr 2018 03:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@debian.org>:
New Bug report received and forwarded. Copy sent to vagrant@debian.org, Peter Eisentraut <petere@debian.org>. (Sun, 22 Apr 2018 03:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: lzop: embeds timestamp and umask lzo archives
Date: Sat, 21 Apr 2018 20:47:29 -0700
[Message part 1 (text/plain, inline)]
Package: lzop
Version: 1.03-4+b1
Severity: wishlist
User: reproducible-builds@lists.alioth.debian.org
Usertags: toolchain timestamps umask
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

lzop embeds timestamp and filesystem mode:

  $ echo foo > foo
  # produces foo.lzo
  $ lzop foo 
  $ lzop --info foo.lzo
  LZO1X-1             4         4 100.0%  2018-04-21 20:21  foo
   1.030 2.080 0.940  Fl: 0x03000001  Mo: 000000100644  Me: 1/5  OS:  3
  $ rm foo.lzo
  $ touch -d @1000000 foo
  $ chmod o-r foo
  $ lzop foo
  $ lzop --info foo.lzo
  LZO1X-1             4         4 100.0%  1970-01-12 05:46  foo
   1.030 2.080 0.940  Fl: 0x03000001  Mo: 000000100640  Me: 1/5  OS:  3

This can lead to unreproducibility in other packages which may ship lzop
compressed data, but are built at different times, or with a different
umask.


Interestingly enough, there are the --no-time and --no-mode options, but
according to the manpage and my experimentation, they only work when
decompressing files, not the creation of the archive.

Making --no-time and --no-mode also apply to the creation of lzo
archives would at least make it possible to call lzop in a deterministic
way.


Patching to support SOURCE_DATE_EPOCH would at least workaround the
timestamp issue:

  https://reproducible-builds.org/specs/source-date-epoch/


I'm not positive, but lzop may also embed other metadata:

  $ echo foo | lzop - | sha256sum

Consistantly produces a different checksum. But I don't always see
changed output from lzop --info:

  $ echo foo | lzop - | lzop --info -
  LZO1X-1             4         4 100.0%  2018-04-21 20:19  <stdout>
  1.030 2.080 0.940  Fl: 0x0300000d  Mo: 000000000000  Me: 1/5  OS:  3

This might be because the lzo archive contains time information at a
higher resolution than displayed(e.g. seconds), or possibly other
metadata.


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Added indication that bug 896520 blocks 896526 Request was from Vagrant Cascadian <vagrant@debian.org> to submit@bugs.debian.org. (Sun, 22 Apr 2018 06:54:04 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 13:42:41 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.