Debian Bug report logs - #978044
wily: reproducible builds: Embeds user, group and umask in tarballs

version graph

Package: src:wily; Maintainer for src:wily is Debian QA Group <packages@qa.debian.org>;

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Fri, 25 Dec 2020 01:51:02 UTC

Severity: normal

Tags: patch

Fixed in version wily/0.13.41-9

Done: Vagrant Cascadian <vagrant@reproducible-builds.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>:
Bug#978044; Package src:wily. (Fri, 25 Dec 2020 01:51:04 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian QA Group <packages@qa.debian.org>. (Fri, 25 Dec 2020 01:51:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: submit@bugs.debian.org
Subject: wily: reproducible builds: Embeds user, group and umask in tarballs
Date: Thu, 24 Dec 2020 17:49:47 -0800
[Message part 1 (text/plain, inline)]
Source: wily
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: username umask
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The tarballs /usr/share/doc/wily/wily.tar.gz and
/usr/share/doc/wily/tute.tar.gz contain the username, user id, group
name, group id and umask of the build environment in which they were
produced:

  https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/wily.html

  drwxr-xr-x···0·pbuilder1··(1111)·pbuilder1··(1111)········0·2019-08-21·10:11:18.000000·tute/
  vs.
  drwxrwxr-x···0·pbuilder2··(2222)·pbuilder2··(2222)········0·2019-08-21·10:11:18.000000·tute/


The attached patch fixes this by passing arguments to tar in
debian/rules to avoid embedding this metadata.


Thanks for maintaining wily!


live well,
  vagrant

[0001-debian-rules-Pass-options-to-tar-to-generate-reprodu.patch (text/x-diff, inline)]
From 8ee7445fb8376fec85b2f05b929a8881ce6b3d4b Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Fri, 25 Dec 2020 00:01:32 +0000
Subject: [PATCH 1/8] debian/rules: Pass options to tar to generate
 reproducible tarballs.

Pass additional options to tar to ensure sort order, user id, group id
and pax headers are consistent between builds.

See "Full example":

   https://reproducible-builds.org/docs/archives/
---
 debian/rules | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/debian/rules b/debian/rules
index 7d38575..f21f401 100755
--- a/debian/rules
+++ b/debian/rules
@@ -53,10 +53,16 @@ install-stamp: build-stamp
 	install -m644 Doc/changes.txt debian/wily/usr/share/doc/wily/html
 	install -m644 Doc/*.html debian/wily/usr/share/doc/wily/html
 	install -m644 Doc/*.gif debian/wily/usr/share/doc/wily/html
-	cd Doc && GZIP="-9n" tar -czhf \
-		../debian/wily/usr/share/doc/wily/tute.tar.gz tute --mtime="@$(SOURCE_DATE_EPOCH)"
-	cd misc && GZIP="-9n" tar -czhf \
-		../debian/wily/usr/share/doc/wily/wily.tar.gz wily --mtime="@$(SOURCE_DATE_EPOCH)"
+	cd Doc && GZIP="-9n" tar --sort=name \
+		--mtime="@${SOURCE_DATE_EPOCH}" \
+		--owner=0 --group=0 --numeric-owner \
+		--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
+		-czhf ../debian/wily/usr/share/doc/wily/tute.tar.gz tute
+	cd misc && GZIP="-9n" tar --sort=name \
+		--mtime="@${SOURCE_DATE_EPOCH}" \
+		--owner=0 --group=0 --numeric-owner \
+		--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
+		-czhf ../debian/wily/usr/share/doc/wily/wily.tar.gz wily
 	touch install-stamp
 
 binary-indep: build install
-- 
2.20.1


[signature.asc (application/pgp-signature, inline)]

Reply sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
You have taken responsibility. (Fri, 25 Dec 2020 05:21:04 GMT) (full text, mbox, link).

Notification sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer. (Fri, 25 Dec 2020 05:21:04 GMT) (full text, mbox, link).

Message #10 received at 978044-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 978044-close@bugs.debian.org
Subject: Bug#978044: fixed in wily 0.13.41-9
Date: Fri, 25 Dec 2020 05:18:46 +0000
Source: wily
Source-Version: 0.13.41-9
Done: Vagrant Cascadian <vagrant@reproducible-builds.org>

We believe that the bug you reported is fixed in the latest version of
wily, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 978044@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@reproducible-builds.org> (supplier of updated wily package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 24 Dec 2020 20:52:49 -0800
Source: wily
Architecture: source
Version: 0.13.41-9
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Vagrant Cascadian <vagrant@reproducible-builds.org>
Closes: 978044
Changes:
 wily (0.13.41-9) unstable; urgency=medium
 .
   * QA upload.
   * debian/rules: Pass options to tar to generate reproducible tarballs.
     (Closes: #978044)
   * Remove dead link to image in documentation.
   * Patch tools/win/Makefile.in to pass additional include directory.
   * debian/menu: Update to use the "Applications" section.
   * debian/rules: Switch to "dh".
   * Switch to debhelper compat 13.
   * Use debian/wily.install and debian/wily.manpages instead of installing
     manually from debian/rules.
   * debian/rules: Generated tarballs from dh_installdocs override.
   * debian/source/format: Set to "1.0".
   * debian/control: Update Standards-Version to 4.5.1.
   * debian/source/lintian-overrides: Override
     configure-generated-file-in-source, removed in clean target.
   * debian/control: Set Vcs headers.
Checksums-Sha1:
 889a5f34836ce4065309628af7daf10ab74a65e8 1322 wily_0.13.41-9.dsc
 3c3f9c5d0d60c1d322721ad2bcd7bf91e8a9116d 26711 wily_0.13.41-9.diff.gz
Checksums-Sha256:
 a4889f4c7e0f814bb4c1d9009197cc9167de3c981678f0df3f0d0ee54fb8aed5 1322 wily_0.13.41-9.dsc
 e0ad1e925c893596f5176e58a556d557b79816b03ca36d23514508133ecc449b 26711 wily_0.13.41-9.diff.gz
Files:
 1f4cf9d61ebe52ba73422c7fdfbf96e4 1322 editors optional wily_0.13.41-9.dsc
 ef394053fe3b8b1d59b02438e7311a14 26711 editors optional wily_0.13.41-9.diff.gz

-----BEGIN PGP SIGNATURE-----

iJYEARYKAD4WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX+VyOCAcdmFncmFudEBy
ZXByb2R1Y2libGUtYnVpbGRzLm9yZwAKCRDcUY/If5cWqitwAP47VQGf22v8+5tD
6e+i/aPr/QhMQOWLhkcpKjHoPtjq7QD/ScobV38fQtRT60jbrCCHJj/BYNIMuG9D
lmOCUTfNEQ8=
=3Cyx
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 29 Jan 2021 07:27:50 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 12:49:38 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.