Your message dated Wed, 10 Sep 2025 07:40:51 +0000
with message-id <[email protected]>
and subject line Bug#1020867: fixed in uclibc 1.0.54-1
has caused the Debian Bug report #1020867,
regarding uclibc: reproducible builds: tarball includes user, group and file
mode of build user
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1020867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1020867
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: uclibc
Severity: normal
Tags: patch
User: [email protected]
Usertags: umask username
X-Debbugs-Cc: [email protected]
The source tarball /usr/src/uClibc-ng-1.0.35.tar.xz embeds the username,
userid, groupname, groupid and umask of the build user:
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/uclibc.html
drwxr-xr-x···0·pbuilder1··(1111)·pbuilder1··(1111)········0·2020-08-29·02:35:19.000000·uClibc-ng-1.0.35/
vs.
drwxrwxr-x···0·pbuilder2··(2222)·pbuilder2··(2222)········0·2020-08-29·02:35:19.000000·uClibc-ng-1.0.35/
The attached patch fixes this by passing arguments to tar in
debian/rules to ensure consistent user, group, uid, gid and file
permissions in the generated tarball.
I have not verified that these changes work correctly in the resulting
packages, only that it builds reproducibly; please be sure to verify
before uploading.
I have not fully tested this patch as my local build environment does
not successfully test umask differences, though I am fairly confident
with this patch applied, uclibc should become reproducible on
tests.reproducible-builds.org!
Thanks for maintaining uclibc!
live well,
vagrant
From 7463e372afbc7f9d3e7c78788741ded0890c4102 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <[email protected]>
Date: Tue, 27 Sep 2022 19:09:06 +0000
Subject: [PATCH] debian/rules: Set sort order, user id, group id, and file
mask when generating tarball.
https://reproducible-builds.org/docs/archives/
---
debian/rules | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/debian/rules b/debian/rules
index c850f66..7a41ebc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -129,7 +129,7 @@ build/uClibc-ng-$(version).tar.xz: build/uClibc-ng-$(version).tar
build/uClibc-ng-$(version).tar:
dh_testdir
mkdir -p build
- tar -cf $@ --mtime="$(BUILD_DATE)" --exclude=./build --transform s@^\.@uClibc-ng-$(version)@ .
+ tar -cf $@ --mtime="$(BUILD_DATE)" --sort=name --owner=0 --group=0 --numeric-owner --mode=go=rX,u+rw,a-s --exclude=./build --transform s@^\.@uClibc-ng-$(version)@ .
binary-%: build-%
dh_testdir
--
2.37.2
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: uclibc
Source-Version: 1.0.54-1
Done: Andreas Tille <[email protected]>
We believe that the bug you reported is fixed in the latest version of
uclibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <[email protected]> (supplier of updated uclibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 10 Sep 2025 06:33:55 +0200
Source: uclibc
Architecture: source
Version: 1.0.54-1
Distribution: unstable
Urgency: medium
Maintainer: Héctor Orón Martínez <[email protected]>
Changed-By: Andreas Tille <[email protected]>
Closes: 811252 864020 946533 1010748 1020867
Changes:
uclibc (1.0.54-1) unstable; urgency=medium
.
* Team upload.
.
[ Andreas Tille ]
* New upstream version (closing CVE-2021-27419)
Closes: #1010748, #811252
* Point Vcs fields to Salsa
* Remove Simon Richter from Maintainer at own request (thank you for your
previous work, Simon)
Closes: #946533
* d/watch: version=4
* Standards-Version: 4.7.2 (routine-update)
* debhelper-compat 13 (routine-update)
* Remove trailing whitespace in debian/changelog (routine-update)
* Remove trailing whitespace in debian/copyright (routine-update)
* Do not parse d/changelog (routine-update)
* debputy lint --auto-fix (routine-update)
* d/rules: automatically calculcate version
* Trim trailing whitespace.
* Add missing ${misc:Depends} to Depends for uclibc-source.
* Rely on pre-initialized dpkg-architecture variables.
.
[ Helmut Grohne ]
* (re-)enable verbose build logs
Closes: #864020
.
[ Vagrant Cascadian ]
* reproducible builds: Do not include user, group and file mode of build user
in tarball
Closes: #1020867
Checksums-Sha1:
c93db3d430ea8a5e93ff9b8ab2a13cc5c3d29509 2110 uclibc_1.0.54-1.dsc
0ef81caf04c711b9290615ea21d5c81aa2599c3d 1986084 uclibc_1.0.54.orig.tar.xz
7e30860666c7dbe52502b3f416a172f3a334e75e 873 uclibc_1.0.54.orig.tar.xz.asc
9d33153af2e8a9743d612fd54d6abd07114233a4 9900 uclibc_1.0.54-1.debian.tar.xz
ab826c74de4cfd7a05620d7d0f738db48b990106 5760 uclibc_1.0.54-1_amd64.buildinfo
Checksums-Sha256:
c7e57a62b57a3a820405339400d7aaf248c72195826c117422def148ea2470cf 2110
uclibc_1.0.54-1.dsc
d1ecf65cc2217dd4118a4dafc1abf27c585b5cb578f3bd7991fc640b79643ff2 1986084
uclibc_1.0.54.orig.tar.xz
4fc324189885b908090c9e5b06cedbfceaac2073f6831ba9761bfcf7e85b4656 873
uclibc_1.0.54.orig.tar.xz.asc
698729d35447724645fc5c279d461630d5efe852eb46ac538387aa361cdc0a75 9900
uclibc_1.0.54-1.debian.tar.xz
e565a366ec1654d465077474164380369282d079e10cc968998f9beb83c09158 5760
uclibc_1.0.54-1_amd64.buildinfo
Files:
24190e6809471589a670c4c6a1a3f44f 2110 libs optional uclibc_1.0.54-1.dsc
eacdce3f435ae224d1f6a9149259eaf3 1986084 libs optional
uclibc_1.0.54.orig.tar.xz
aed931b32b6321da2ca9b92c17969488 873 libs optional
uclibc_1.0.54.orig.tar.xz.asc
641c9cb4244071b6b09acb69b6cf70f0 9900 libs optional
uclibc_1.0.54-1.debian.tar.xz
bbe80c32cc5874c3190f2d6156d8dae9 5760 libs optional
uclibc_1.0.54-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmjBDqQRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtEdFA/+PLQMysr7ErzhI2t7eQmgq2vydNfXWvBe
0MzI6cDdcBjJ9pCzfXMEAitxqXIS2wq0Z/Zg7lwCwTRDlNCNFIsXIotdZs3LlueX
Y8egCZZ939p+WJCflR5577xmt/tS2LReBA3bb2X6jqc9B7atMRi7Z5Vpj8Ps4jtb
bsJDo9+PZ3WJo9jYmVvfLbcOkEoJ/lHo+OoZArNDBaQ6LvRzRZKHe6RkYqRbogNA
Z0MB1l09yxbBS4Ycqx/tFp1kVeZomOrJ6DmqChDo67cWRrDWV7qM0Q3I08c9BUFz
51cnTWpDAR6XYVex4K4bxcg+kLuZBBsOY204TscsG0QxT6DUw0XOmAR2qxqbSm/H
oN19RlA4zIIF39ja3HRH1uFxCctXoZ+hYUxyMxuylPbThm0OZ1IGWb8/TIHwWA1T
t/wbw6/QuhTH4E3YAGbaqvaYdGyki4+Q7ld+yg9SkOYd3N8f19GaUtzE+oBmJsSx
0VMCCQvFxJ8EBoFLKWI2rdac0QaAeczhjTeebDX2ixbVXUB4mEIPoposVK09B3oH
ieI65IgL9OD26eWXp6E+pE9I/IUIxyl4HhTXKwfovU9MIt1GBenmN0EufZL1DIP6
sEC8bPzO2faPCXIvYFGPR9bjOUH+sg41hH7jNrX5ubIXCmdPQpexS0hOW43Z4wNT
5ZMTcTulILI=
=HA7z
-----END PGP SIGNATURE-----
pgpHbog8ff2xs.pgp
Description: PGP signature
--- End Message ---
