Debian Bug report logs - #961942
mono: mono-source: Embeds time, user, group, etc. in mono-source.tar.xz

version graph

Package: src:mono; Maintainer for src:mono is Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>;

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Sun, 31 May 2020 20:12:02 UTC

Severity: normal

Tags: patch

Found in version mono/6.8.0.105+dfsg-3

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>:
Bug#961942; Package src:mono. (Sun, 31 May 2020 20:12:04 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian Mono Group <pkg-mono-group@lists.alioth.debian.org>. (Sun, 31 May 2020 20:12:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: mono: mono-source: Embeds time, user, group, etc. in mono-source.tar.xz
Date: Sun, 31 May 2020 13:08:41 -0700
[Message part 1 (text/plain, inline)]
Source: mono
Version: 6.8.0.105+dfsg-3
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps buildpath locale username
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The time, user id, group id, locale, and in some cases build path change
the resulting /usr/src/mono-source.tar.xz

Attached is a patch which should consistantly produce the same
mono-source.tar.xz regardless of the above variations.

While this doesn't fix all of the reproducibility issues in the mono
source package; it should make the mono-source binary package
reproducible. The diff for mono-source is currently large enough that
diffoscope often times out tests.reproducible-builds.org when comparing,
which makes it harder to diagnose and troubleshoot other outstanding
issues.

Thanks!


live well,
  vagrant


[0001-mono-source-Ensure-reproducible-mono-source.tar.xz.patch (text/x-diff, inline)]
From b2a35ebc9e29cde7b87cab4d0a14021f2de9c453 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Sat, 30 May 2020 18:57:52 +0000
Subject: [PATCH 1/2] mono-source: Ensure reproducible mono-source.tar.xz.

Pass flags to tar to sort the input, specify mtime, user id, group id,
format, locale and directory name to ensure reproducible builds:

  https://reproducible-builds.org/docs/archives/
---
 debian/rules | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index 71531b6b2b..eae72ddb36 100755
--- a/debian/rules
+++ b/debian/rules
@@ -125,7 +125,12 @@ endif
 
 source: source-stamp
 source-stamp:
-	cd $(DEBIAN_DIR) && tar cJf mono-source.tar.xz --exclude=mono-source.tar.xz -C ../.. $$(cd ..; basename $$(pwd))
+	LC_ALL=C.UTF-8 tar cJf debian/mono-source.tar.xz --exclude=mono-source.tar.xz \
+		--sort=name \
+		--mtime="@${SOURCE_DATE_EPOCH}" \
+		--owner=0 --group=0 --numeric-owner \
+		--format=gnu \
+		--transform="s|^\.|$(DEB_SOURCE_NAME)-$(UPVERSION)+dfsg|" .
 	touch $@
 
 autoreconf: autoreconf-stamp
-- 
2.20.1


[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 11:59:22 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.