Debian Bug report logs -
#996572
gcc-arm-none-eabi: reproducible builds: source tarball includes non-deterministic files
Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Fri, 15 Oct 2021 17:45:01 UTC
Severity: normal
Tags: patch
Fixed in version gcc-arm-none-eabi/15:10.3-2021.07-2
Done: Keith Packard <keithp@keithp.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Agustin Henze <tin@debian.org>:
Bug#996572; Package src:gcc-arm-none-eabi.
(Fri, 15 Oct 2021 17:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Agustin Henze <tin@debian.org>.
(Fri, 15 Oct 2021 17:45:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: gcc-arm-none-eabi
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: randomness username timestamps fileordering
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
The file /autom4te.cache/requests includes non-deterministic ordering,
and is shipped inside /usr/src/gcc-arm-none-eabi-source.tar.xz
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/gcc-arm-none-eabi.html
Patch to debian/rules attached which excludes autom4ate.cache from the
tarball, as well as sorting by name, set the user and group ids, and
setting the timestamp using SOURCE_DATE_EPOCH. These additional
normalizations will be needed if Rules-Requires-Root is ever enabled.
It might be worth considering excluding .pc from the tarball as well;
though this isn't strictly necessary for reproducible builds.
This patch alone does not fix all reproducibility issues (e.g. build
paths, which are only tested on unstable and experimental), but with the
patch from #996194 applied, this should become reproducible once it
migrates to bookworm.
Thanks for maintaining gcc-arm-none-eabi!
live well,
vagrant
[0002-debian-rules-Generate-tarball-reproducibly.patch (text/x-diff, inline)]
From 5d35d46092e41d95d3f9e76d8043c044ddbdca07 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Fri, 15 Oct 2021 17:07:51 +0000
Subject: [PATCH 2/3] debian/rules: Generate tarball reproducibly.
Exclude autom4ate.cache directory (contains autogenerated
non-deterministic files), sort by name, set the user and group ids,
and set timestamp using SOURCE_DATE_EPOCH.
---
debian/rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/rules b/debian/rules
index 07d9a2571..8f2e6526a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -101,7 +101,7 @@ override_dh_strip:
override_dh_install:
dh_install -p$(PACKAGE_GCC) --sourcedir $(GCC_DEB_TMP_DIR)
mkdir -p $(GCC_SOURCE_DEB_TMP_DIR)/usr/src
- tar --exclude=build --exclude=.git --exclude=debian -C $(TOP_DIR) -c -f - . | xz -T0 > $(GCC_SOURCE_DEB_TMP_DIR)/usr/src/$(PACKAGE_GCC_SOURCE).tar.xz
+ tar --exclude=build --exclude=.git --exclude=debian --exclude=autom4te.cache --sort=name --mtime="@$(SOURCE_DATE_EPOCH)" --owner=0 --group=0 --numeric-owner -C $(TOP_DIR) -c -f - . | xz -T0 > $(GCC_SOURCE_DEB_TMP_DIR)/usr/src/$(PACKAGE_GCC_SOURCE).tar.xz
dh_install -p$(PACKAGE_GCC_SOURCE) --sourcedir $(GCC_SOURCE_DEB_TMP_DIR)
override_dh_compress:
--
2.30.2
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Keith Packard <keithp@keithp.com>:
You have taken responsibility.
(Fri, 29 Oct 2021 18:36:08 GMT) (full text, mbox, link).
Notification sent
to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer.
(Fri, 29 Oct 2021 18:36:08 GMT) (full text, mbox, link).
Message #10 received at 996572-close@bugs.debian.org (full text, mbox, reply):
Source: gcc-arm-none-eabi
Source-Version: 15:10.3-2021.07-2
Done: Keith Packard <keithp@keithp.com>
We believe that the bug you reported is fixed in the latest version of
gcc-arm-none-eabi, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 996572@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Keith Packard <keithp@keithp.com> (supplier of updated gcc-arm-none-eabi package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 29 Oct 2021 10:56:10 -0700
Source: gcc-arm-none-eabi
Architecture: source
Version: 15:10.3-2021.07-2
Distribution: unstable
Urgency: medium
Maintainer: Agustin Henze <tin@debian.org>
Changed-By: Keith Packard <keithp@keithp.com>
Closes: 960166 996194 996572 996573
Changes:
gcc-arm-none-eabi (15:10.3-2021.07-2) unstable; urgency=medium
.
* debian/rules: Generate tarball reproducibly. (Closes: #996194)
.
* debian/rules: Pass variables to configure to make the package
build reproducibly regardless of usrmerge. (Closes: #996572)
.
* debian/control: Set Rules-Requires-Root to "no". (Closes: #996573)
.
* debian/control: mark gcc-arm-none-eabi Multi-Arch:
foreign. (Closes: #960166)
Checksums-Sha1:
2abb5e3374d6b64571bd6d3d7fe417b9f32b548b 2532 gcc-arm-none-eabi_10.3-2021.07-2.dsc
0b24dc8c4f764455a51a5160d29a61403a796ffc 20828 gcc-arm-none-eabi_10.3-2021.07-2.debian.tar.xz
6889040cecbcc1e3c4df40c3f6c70c86f1c951d1 8475 gcc-arm-none-eabi_10.3-2021.07-2_amd64.buildinfo
Checksums-Sha256:
a5924998d89efab992a4fc27a3c389c24d9657bda979db7a4ff4c9f7450d43de 2532 gcc-arm-none-eabi_10.3-2021.07-2.dsc
2d1b53745a137e354284a085afe4320aa8a126f8c89dd46eaa532fdc9eafb40e 20828 gcc-arm-none-eabi_10.3-2021.07-2.debian.tar.xz
faa9c420ad78a62073225b392e4855c2f9af77e6fec2518f0a8fd0eb2bd38175 8475 gcc-arm-none-eabi_10.3-2021.07-2_amd64.buildinfo
Files:
8d235302743bec91a3fac0e83c25dfdd 2532 devel optional gcc-arm-none-eabi_10.3-2021.07-2.dsc
5ea3d73289bb50bc22d77759b7162391 20828 devel optional gcc-arm-none-eabi_10.3-2021.07-2.debian.tar.xz
f97a5a18b37f71f28a4954823e46b701 8475 devel optional gcc-arm-none-eabi_10.3-2021.07-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEw4O3eCVWE9/bQJ2R2yIaaQAAABEFAmF8OsAACgkQ2yIaaQAA
ABEA9g/6Ar4Jzi/q6A91ezVHbjn6FMBFxQFgOa70rJ3szu30l/u99kxC1uDq48HK
67N068CeL8CZ7Jx0LX0VxgFdyJ2rLlju7tUXV+8C525bnU48gJPVTUaRb4JNl4Ey
a52fRKPXS0YyItZiVyQ6In0do4p1/iogSXiPSmt5i2DBltgLSvX3wDjvH03mCF/i
bwtXFgPyPgTi6XS92DVz0GiyMf5qbxIvy2LW6he1amuO2Xk9dunWzfhAPA2TM17q
MMvaJG6yAuUPaknK3Iv0kXeDIzzBqAgVJvFxjbjbqPvmBbNFFU9zODjJYU2/sZA3
zorRSEM5zsB7FXuwBnlhxk5T2UMeFeDGSDPUvOw5zq9yIocZbgvVqkmx8s9KLIan
IO0muaftGVOABQmguT9ocK3LAZUTt2JlWlrm3H3xpIReyf+NziLDuxv+BtcEbIPw
q41pecPbOVvH7YTP1r/vz9CJC9Td5jnnYq+gWeq5TUnCJSOt2VFPb+eMgHNlFkTw
IWU8u78lqmbNsNL2WtraEIoqRD/qDLDSm7nYSyvwB4BtaEvjbcYpxC5UCxp3CXnU
02ELyV3Nd1Cs3vwTKiTXUH1KkW7YH8z9SYqSjPP4E8L7p/fWlMqfwlbN/Up9DDda
jBbqXg0wZ7IPY6nN9lYX3sTXSgmLn+dUa66GCuoqiKwRD8ENTxY=
=jNEM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 18 Dec 2021 07:32:12 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 17 12:59:31 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.