Debian Bug report logs - #971400
vboot-utils: Add patch to avoid embedding the username and time of the build.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: vboot-utils: Add patch to avoid embedding the username and time of the build.

Date: Tue, 29 Sep 2020 15:07:30 -0700

[Message part 1 (text/plain, inline)]

Source: vboot-utils
Severity: normal
Version: 0~R81-12871.B-1
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps username
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The "/usr/bin/futility" embeds differing information in the binary,
depending on when and what user built the package:

  unknown 2020-09-17 07:53:52 pbuilder1 vs. unknown 2021-10-21 16:19:17 pbuilder2

This obviously breaks reproducible builds:

  https://reproducible-builds.org

The attached patch removes the user and time information from the
getversion.sh script used during build.


Thanks for maintaining vboot-utils!


live well,
  vagrant

[0001-Add-patch-to-avoid-embedding-the-username-and-time-o.patch (text/x-diff, inline)]

From 163953ac2a68b76c7bc62449db3316f0db53ec94 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Tue, 29 Sep 2020 21:31:51 +0000
Subject: [PATCH 1/2] Add patch to avoid embedding the username and time of the
 build.

This should be unnecessary in the context of building the packages in
Debian, and breaks reproducible builds:

  https://reproducible-builds.org
---
 .../do-not-embed-user-and-time-in-version     | 24 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 25 insertions(+)
 create mode 100644 debian/patches/do-not-embed-user-and-time-in-version

diff --git a/debian/patches/do-not-embed-user-and-time-in-version b/debian/patches/do-not-embed-user-and-time-in-version
new file mode 100644
index 0000000..6c63f89
--- /dev/null
+++ b/debian/patches/do-not-embed-user-and-time-in-version
@@ -0,0 +1,24 @@
+From: Vagrant Cascadian <vagrant@reproducible-builds.org>
+Subject: Avoid embedding user and time in version from getversion.sh
+Date: 2020-09-29
+
+The getversion.sh script embeds the build time and user who built the
+binary, which breaks reproducible builds:
+
+  https://reproducible-builds.org/
+
+Without this patch, "/usr/bin/futility" embeds differing information
+in the binary:
+
+  unknown 2020-09-17 07:53:52 pbuilder1 vs. unknown 2021-10-21 16:19:17 pbuilder2
+
+Index: vboot-utils/scripts/getversion.sh
+===================================================================
+--- vboot-utils.orig/scripts/getversion.sh
++++ vboot-utils/scripts/getversion.sh
+@@ -30,4 +30,4 @@ fi
+ 
+ date=$(date '+%F %T')
+ 
+-echo "const char futility_version[] = \"${ver} ${date} ${USER}\";";
++echo "const char futility_version[] = \"${ver}\";";
diff --git a/debian/patches/series b/debian/patches/series
index bb9d533..694943a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -6,3 +6,4 @@
 0012-fix-spelling-errors.patch
 dont-build-with-werror.patch
 add-missing-flags-pie.patch
+do-not-embed-user-and-time-in-version
-- 
2.28.0

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 971400-submitter@bugs.debian.org (full text, mbox, reply):

From: Sophie Brun <noreply@salsa.debian.org>

To: 971400-submitter@bugs.debian.org

Subject: Bug#971400 marked as pending in vboot-utils

Date: Tue, 27 Oct 2020 20:11:59 +0000

Control: tag -1 pending

Hello,

Bug #971400 in vboot-utils reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/vboot-utils/-/commit/c252ca7baf6065c756bdd0d82d5cf3fe109809d2

------------------------------------------------------------------------
Add a patch to not embed user and time in version (Closes: #971400)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/971400

Message #15 received at 971400-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 971400-close@bugs.debian.org

Subject: Bug#971400: fixed in vboot-utils 0~R87-13505.B-1

Date: Wed, 28 Oct 2020 11:36:20 +0000

Source: vboot-utils
Source-Version: 0~R87-13505.B-1
Done: Sophie Brun <sophie@offensive-security.com>

We believe that the bug you reported is fixed in the latest version of
vboot-utils, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 971400@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sophie Brun <sophie@offensive-security.com> (supplier of updated vboot-utils package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 27 Oct 2020 21:01:46 +0100
Source: vboot-utils
Architecture: source
Version: 0~R87-13505.B-1
Distribution: unstable
Urgency: medium
Maintainer: Sophie Brun <sophie@offensive-security.com>
Changed-By: Sophie Brun <sophie@offensive-security.com>
Closes: 971400 971402
Changes:
 vboot-utils (0~R87-13505.B-1) unstable; urgency=medium
 .
   * New upstream version 0~R87-13505.B
   * Refresh patches
   * Add a patch to not embed user and time in version (Closes: #971400)
   * Switch to clang 10 (Closes: #971402)
   * Remove override_dh_fixperms no longer needed
   * Update installation for new upstream release
Checksums-Sha1:
 7c24fa0edcd2b94b0b1b9a307b1672b8d1a894f7 2025 vboot-utils_0~R87-13505.B-1.dsc
 d77012f338904707b9f0296fa9ff15798ba2786c 35833679 vboot-utils_0~R87-13505.B.orig.tar.gz
 eb6d44dec354cf0572b6ea45dfbbcfc56b42eb58 10764 vboot-utils_0~R87-13505.B-1.debian.tar.xz
 4c5d0257e53e077d7ca8dd6607048cf92ddefe52 6400 vboot-utils_0~R87-13505.B-1_source.buildinfo
Checksums-Sha256:
 b065fd4dd75e96f0acb1b4e781f42b709cdc6a50b32432d1f995da8fd0fe3a94 2025 vboot-utils_0~R87-13505.B-1.dsc
 6793298300e784d3ad356ed22641d9fff0ee769f13557c5b119a740410f5dc90 35833679 vboot-utils_0~R87-13505.B.orig.tar.gz
 38829936ab85148fbf5bb47607392b275e052343f7e6f27c5816e2e582713d2d 10764 vboot-utils_0~R87-13505.B-1.debian.tar.xz
 697d81650994976a33e436c3b81859dfdc0c607d56b1095ca2a31fcf85396b65 6400 vboot-utils_0~R87-13505.B-1_source.buildinfo
Files:
 1d711750683f1edfd9158d9eb3948d4d 2025 admin optional vboot-utils_0~R87-13505.B-1.dsc
 6a83c8dc5d9ce038e491f5a85f646ce7 35833679 admin optional vboot-utils_0~R87-13505.B.orig.tar.gz
 529d7eb0bcabe839309cc7566df8b190 10764 admin optional vboot-utils_0~R87-13505.B-1.debian.tar.xz
 6628c33afdd88ca81b4f136dd7d641c6 6400 admin optional vboot-utils_0~R87-13505.B-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----
Comment: Signed by Raphael Hertzog

iQEzBAEBCgAdFiEE1823g1EQnhJ1LsbSA4gdq+vCmrkFAl+ZUbgACgkQA4gdq+vC
mrkbMwf+Pk9AU2/+4tb10rwu2RLoBC0zkevPEvrmXr/ASFUMtnhPsT1COKx47kiG
e/OH8i/HGxH6OO7Up0OXIhDt8TcSAepE7b/xjX3YtZ8Bb3FvuEW1MwWhsJ8qINs3
0VlETGlAnIYwXhKuBAEGCtyIQ+Iqo1b5LWXuliRvdA8g35FJwZrY9YhpgsFxiKt5
1g1+Guvz7HhBq9XTNQvaPNx1wn8geI7o6qqyI0RAG0QJ+9fSLYhEn4kttCGVrkvm
0G8SV3Bb1YAt7IrHP1WMYIzcgf5bkGlB0xUshhTCtUpifEgT8Ue2YDHNGlplrIU8
zC5xbAULK3knvG7uqr3rrGeGjDkAdg==
=WfuE
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.