Your message dated Sun, 14 Feb 2016 12:34:07 +0000
with message-id <[email protected]>
and subject line Bug#774426: fixed in cpio 2.11+dfsg-5
has caused the Debian Bug report #774426,
regarding cpio: please make cpio build reproducibly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
774426: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=774426
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: cpio
Version: 2.11+dfsg-4
Severity: wishlist
User: [email protected]
Usertags: timestamps fileordering
Hi!
While working on the “reproducible builds” effort [1], we have noticed
that cpio could not be built reproducibly.
The attached patch fixes this for our experimental framework. It
contains several small changes for `debian/rules`.
[1]: https://wiki.debian.org/ReproducibleBuilds
--
Lunar .''`.
[email protected] : :Ⓐ : # apt-get install anarchism
`. `'`
`-
diff -Nru cpio-2.11+dfsg/debian/changelog cpio-2.11+dfsg/debian/changelog
--- cpio-2.11+dfsg/debian/changelog 2014-12-22 12:42:30.000000000 +0100
+++ cpio-2.11+dfsg/debian/changelog 2015-01-02 16:17:48.000000000 +0100
@@ -1,3 +1,12 @@
+cpio (2.11+dfsg-4.0~reproducible1) UNRELEASED; urgency=low
+
+ * Make the package build reproducibly:
+ - Fix mtimes before building binary packages.
+ - Stop recording the current time when creating gzip files.
+ - Sort file list in md5sums.
+
+ -- Jérémy Bobbio <[email protected]> Fri, 02 Jan 2015 16:15:58 +0100
+
cpio (2.11+dfsg-4) unstable; urgency=high
[ Michael Gilbert <[email protected]> ]
diff -Nru cpio-2.11+dfsg/debian/rules cpio-2.11+dfsg/debian/rules
--- cpio-2.11+dfsg/debian/rules 2014-03-22 23:22:58.000000000 +0100
+++ cpio-2.11+dfsg/debian/rules 2015-01-02 16:15:57.000000000 +0100
@@ -19,6 +19,8 @@
STRIP = strip
endif
+BUILD_DATE := $(shell dpkg-parsechangelog | sed -n -e 's/^Date: //p')
+
ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS)))
INSTALL_PROGRAM += -s
endif
@@ -83,16 +85,18 @@
# Install changelog & copyright
install -m 644 debian/changelog \
debian/tmp-win32/usr/share/doc/$(package)-win32/changelog.Debian
- gzip -9v debian/tmp-win32/usr/share/doc/$(package)-win32/*
+ gzip -9nv debian/tmp-win32/usr/share/doc/$(package)-win32/*
install -m 644 debian/copyright debian/tmp-win32/usr/share/doc/$(package)-win32/.
# Generate md5sums
- cd debian/tmp-win32 && find * -type f ! -regex '^DEBIAN/.*' -print0 | xargs -r0 md5sum > DEBIAN/md5sums
+ cd debian/tmp-win32 && find * -type f ! -regex '^DEBIAN/.*' -print0 | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
# Generate deb file
dpkg-gencontrol -pcpio-win32 -Pdebian/tmp-win32
chown -R root.root debian/tmp-win32
chmod -R g-ws debian/tmp-win32
+ find debian/tmp-win32 -depth -newermt '$(BUILD_DATE)' -print0 | \
+ xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
dpkg-deb --build debian/tmp-win32 ..
binary-arch: checkroot build
@@ -125,20 +129,22 @@
# Install changelog & copyright
install -m 644 debian/changelog \
debian/tmp/usr/share/doc/$(package)/changelog.Debian
- gzip -9v debian/tmp/usr/share/doc/$(package)/*
- gzip -9v debian/tmp/usr/share/man/*/*
+ gzip -9nv debian/tmp/usr/share/doc/$(package)/*
+ gzip -9nv debian/tmp/usr/share/man/*/*
rm -rf debian/tmp/usr/share/info
install -m 644 debian/copyright debian/tmp/usr/share/doc/$(package)/.
# Determine shared library dependencies
dpkg-shlibdeps debian/tmp/bin/cpio debian/tmp/bin/mt-gnu
# Generate md5sums
- cd debian/tmp && find * -type f ! -regex '^DEBIAN/.*' -print0 | xargs -r0 md5sum > DEBIAN/md5sums
+ cd debian/tmp && find * -type f ! -regex '^DEBIAN/.*' -print0 | LC_ALL=C sort -z | xargs -r0 md5sum > DEBIAN/md5sums
# Generate deb file
dpkg-gencontrol -pcpio -Pdebian/tmp
chown -R root.root debian/tmp
chmod -R g-ws debian/tmp
+ find debian/tmp -depth -newermt '$(BUILD_DATE)' -print0 | \
+ xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
dpkg-deb --build debian/tmp ..
define checkdir
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: cpio
Source-Version: 2.11+dfsg-5
We believe that the bug you reported is fixed in the latest version of
cpio, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Anibal Monsalve Salazar <[email protected]> (supplier of updated cpio package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Feb 2016 12:01:51 +0000
Source: cpio
Binary: cpio cpio-win32
Architecture: source all amd64
Version: 2.11+dfsg-5
Distribution: unstable
Urgency: medium
Maintainer: Anibal Monsalve Salazar <[email protected]>
Changed-By: Anibal Monsalve Salazar <[email protected]>
Description:
cpio - GNU cpio -- a program to manage archives of files
cpio-win32 - GNU cpio -- a program to manage archives of files (win32 build)
Closes: 774426 812401
Changes:
cpio (2.11+dfsg-5) unstable; urgency=medium
.
[ Salvatore Bonaccorso ]
* CVE-2016-2037: 1-byte out-of-bounds write (Closes: #812401)
.
[ Jérémy Bobbio ]
* Make the package build reproducibly:
- Fix mtimes before building binary packages.
- Stop recording the current time when creating gzip files.
- Sort file list in md5sums.
Closes: #774426
.
[ Anibal Monsalve Salazar ]
* Standards-Version: 3.9.6
Checksums-Sha1:
df7d70b389ddbb3152017adb70ee4b2d396c6990 1843 cpio_2.11+dfsg-5.dsc
f59b1f6e37bc1367d140ddcc32f67e8f2ac7b016 19896 cpio_2.11+dfsg-5.debian.tar.xz
e6a969ac81afdecb5f210e51fd23862745270612 59854 cpio-win32_2.11+dfsg-5_all.deb
7e20bca3ae912145037a81a5ed72696cfa34b346 177124 cpio_2.11+dfsg-5_amd64.deb
Checksums-Sha256:
d6fe55aff8a00dbaa4b4fa91dd16d18e7e9cb91653a8af04cb36519aaf776459 1843
cpio_2.11+dfsg-5.dsc
7414ef25ef98a0757ab66a0084424fc7ffde63ad9902d98798e60dbf8fb66246 19896
cpio_2.11+dfsg-5.debian.tar.xz
898057bd1d096af0341a24e80c2f15bf315563ac5d075499dec12b72d225e3c6 59854
cpio-win32_2.11+dfsg-5_all.deb
d91f27d5f68d393d6d17db998d8ee1d396b33a830d2c295bada57ba114aa57e3 177124
cpio_2.11+dfsg-5_amd64.deb
Files:
e42f25f13adf89b88b4634e47860a83f 1843 utils important cpio_2.11+dfsg-5.dsc
b2afeeb4b581d405a422cc5a09f23e2c 19896 utils important
cpio_2.11+dfsg-5.debian.tar.xz
651a38d5a24f71b6b60ef30eb7ba64d2 59854 utils extra
cpio-win32_2.11+dfsg-5_all.deb
4225230473bc9031592146d3bb17c3a4 177124 utils important
cpio_2.11+dfsg-5_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWwHH1AAoJEHxWrP6UeJfYE7sP/2yulIcFUAzwGABAPwZwUK0s
9OfBoEEkbzVBC9hUY9Uv4MUYJKE1QMHooZa+ndYBrJTM+FlQInquXW85uNJiYbEA
iOMOQq+/nU1hNYxzPfZGZcMfkhUmQC6xri9osRraCjtwqRhT1TLC72NG+3wg2j1P
c6La8QrtOxNJT+zRLkjoKfYgs+BzNfElp35SNNpYmBaM08E/6oCOf6053QVy3UId
9jK6ZU1xIKuHVi824Dm/67JXwVQMagu/Mr0sZlhwYt52fVIAYqrAteQtYKRz4qcC
lpShAZj/hduls8Mce69shfNQcyNL7W6Rc9iPpmyYt1QJ+J/ZM3IcZ9ESsJFcY5Y/
8tl4U0SescaTVm9HV73ww7N3onU45HnPb+1zHO1JB5BV1bCu9m9V7KRk7maRK1or
QAmvafjbe7cUMe3SN5wY4squSYMi76e+3xtcH9InLwyKI1xTzUcU2T8sVqXkuWTz
tEQb9lszqGg61gzw3l+zAJNHze1oU6IS31F1aS/KV86DnHileeCglYsU4W2slJAS
pYwjObYcKf7dyUJNgCnf1ABeDuVbRq4fRoqDBm6/D0oF+VvfV6ASakMLbQDtZs+v
c07/nE4iXgVLi9p2l0xL/RlKvsf5kr9qeMlnTHAKAtLZQpwCAS+7Lk0R1W2Zpu8m
bqzxdDvBlHgvzRvs7Uvk
=vTId
-----END PGP SIGNATURE-----
--- End Message ---
