Debian Bug report logs - #977180
mlpost: reproducible builds: examples.tar.gz includes user, group and file mode

version graph

Package: src:mlpost; Maintainer for src:mlpost is Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>;

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Sat, 12 Dec 2020 06:09:02 UTC

Severity: normal

Tags: patch

Fixed in version 0.9-1

Done: Vagrant Cascadian <vagrant@reproducible-builds.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#977180; Package src:mlpost. (Sat, 12 Dec 2020 06:09:04 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Sat, 12 Dec 2020 06:09:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: submit@bugs.debian.org
Subject: mlpost: reproducible builds: examples.tar.gz includes user, group and file mode
Date: Fri, 11 Dec 2020 22:06:09 -0800
[Message part 1 (text/plain, inline)]
Source: mlpost
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: umask username
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The file /usr/share/doc/mlpost/examples/examples.tar.gz includes user,
group and file mode that may vary between builds:

  https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/mlpost.html

  1 drwxr-xr-x···0·pbuilder1··(1111)·pbuilder1··(1111)········0·2017-03-10·08:57:15.000000·examples/
  1 drwxrwxr-x···0·pbuilder2··(2222)·pbuilder2··(2222)········0·2017-03-10·08:57:15.000000·examples/


The attached patch fixes this by passing arguments to tar to ensure
consistent user id, group id, sort order, timestamps and pax headers.


Thanks for maintaining mlpost!


live well,
  vagrant

[0002-Patch-Makefile.in-to-generate-tarball-with-consisten.patch (text/x-diff, inline)]
From 2974d881f31bc9808f3334565bbbd126beb4295f Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Sat, 12 Dec 2020 05:51:14 +0000
Subject: [PATCH 2/2] Patch Makefile.in to generate tarball with consistent
 user id, group id, sort order, timestamps and pax headers.

This patch relies on extensions to GNU tar and may require
adjustments to make portable across implementations.

https://reproducible-builds.org/docs/archives/
---
 Makefile.in | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/Makefile.in b/Makefile.in
index f454959..065f35b 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -214,7 +214,11 @@ source:
 	mkdir -p export/$(EXPORTDIR)/contrib/lablgtk
 	cp $(CONTRIBDOTFILES) export/$(EXPORTDIR)/contrib/dot
 	cp $(CONTRIBLABLGTKFILES) export/$(EXPORTDIR)/contrib/lablgtk
-	cd export ; tar cf $(TAR) $(EXPORTDIR) ; gzip -f --best $(TAR)
+	cd export ; tar --sort=name \
+		--mtime="@$${SOURCE_DATE_EPOCH}" \
+		--owner=0 --group=0 --numeric-owner \
+		--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
+		-cf $(TAR) $(EXPORTDIR) ; gzip -f --best $(TAR)
 
 
 DOCFILES:=$(shell echo *.mli)
-- 
2.29.2


[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>:
Bug#977180; Package src:mlpost. (Sat, 26 Dec 2020 21:30:02 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Extra info received and forwarded to list. Copy sent to Debian OCaml Maintainers <debian-ocaml-maint@lists.debian.org>. (Sat, 26 Dec 2020 21:30:02 GMT) (full text, mbox, link).

Message #10 received at 977180@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: 977180@bugs.debian.org
Subject: Re: mlpost: reproducible builds: examples.tar.gz includes user, group and file mode
Date: Sat, 26 Dec 2020 13:27:38 -0800
[Message part 1 (text/plain, inline)]
On 2020-12-11, Vagrant Cascadian wrote:
> From 2974d881f31bc9808f3334565bbbd126beb4295f Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
> Date: Sat, 12 Dec 2020 05:51:14 +0000
> Subject: [PATCH 2/2] Patch Makefile.in to generate tarball with consistent
>  user id, group id, sort order, timestamps and pax headers.
>
> This patch relies on extensions to GNU tar and may require
> adjustments to make portable across implementations.
>
> https://reproducible-builds.org/docs/archives/
> ---
>  Makefile.in | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/Makefile.in b/Makefile.in
> index f454959..065f35b 100644
> --- a/Makefile.in
> +++ b/Makefile.in
> @@ -214,7 +214,11 @@ source:
>  	mkdir -p export/$(EXPORTDIR)/contrib/lablgtk
>  	cp $(CONTRIBDOTFILES) export/$(EXPORTDIR)/contrib/dot
>  	cp $(CONTRIBLABLGTKFILES) export/$(EXPORTDIR)/contrib/lablgtk
> -	cd export ; tar cf $(TAR) $(EXPORTDIR) ; gzip -f --best $(TAR)
> +	cd export ; tar --sort=name \
> +		--mtime="@$${SOURCE_DATE_EPOCH}" \
> +		--owner=0 --group=0 --numeric-owner \
> +		--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
> +		-cf $(TAR) $(EXPORTDIR) ; gzip -f --best $(TAR)
>  
>  
>  DOCFILES:=$(shell echo *.mli)

I think the patch may also need to pass --mode=a+rX,og-w to tar as well.

My original test environment didn't catch the change of umask that
tests.reproducible-builds.org tests do, but I found it was necessary for
another package with a similar issue.


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Reply sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
You have taken responsibility. (Thu, 15 Dec 2022 17:24:05 GMT) (full text, mbox, link).

Notification sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer. (Thu, 15 Dec 2022 17:24:05 GMT) (full text, mbox, link).

Message #15 received at 977180-done@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: 977180-done@bugs.debian.org, 977179-done@bugs.debian.org
Subject: Re: mlpost: reproducible builds issues fixed in newer version
Date: Thu, 15 Dec 2022 09:21:44 -0800
[Message part 1 (text/plain, inline)]
Version: 0.9-1

Both the timestamp and tarball issues appear to have been fixed for
about a year in bookworm/testing:

  https://tests.reproducible-builds.org/debian/history/mlpost.html

There are some build path issues still present in unstable, but neither
of these patches addressed those issues.


live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 13 Jan 2023 07:29:37 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 11:14:22 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.