Package: lzop
Version: 1.03-4+b1
Severity: wishlist
User: [email protected]
Usertags: toolchain timestamps umask
X-Debbugs-Cc: [email protected]

lzop embeds timestamp and filesystem mode:

  $ echo foo > foo
  # produces foo.lzo
  $ lzop foo 
  $ lzop --info foo.lzo
  LZO1X-1             4         4 100.0%  2018-04-21 20:21  foo
   1.030 2.080 0.940  Fl: 0x03000001  Mo: 000000100644  Me: 1/5  OS:  3
  $ rm foo.lzo
  $ touch -d @1000000 foo
  $ chmod o-r foo
  $ lzop foo
  $ lzop --info foo.lzo
  LZO1X-1             4         4 100.0%  1970-01-12 05:46  foo
   1.030 2.080 0.940  Fl: 0x03000001  Mo: 000000100640  Me: 1/5  OS:  3

This can lead to unreproducibility in other packages which may ship lzop
compressed data, but are built at different times, or with a different
umask.


Interestingly enough, there are the --no-time and --no-mode options, but
according to the manpage and my experimentation, they only work when
decompressing files, not the creation of the archive.

Making --no-time and --no-mode also apply to the creation of lzo
archives would at least make it possible to call lzop in a deterministic
way.


Patching to support SOURCE_DATE_EPOCH would at least workaround the
timestamp issue:

  https://reproducible-builds.org/specs/source-date-epoch/


I'm not positive, but lzop may also embed other metadata:

  $ echo foo | lzop - | sha256sum

Consistantly produces a different checksum. But I don't always see
changed output from lzop --info:

  $ echo foo | lzop - | lzop --info -
  LZO1X-1             4         4 100.0%  2018-04-21 20:19  <stdout>
  1.030 2.080 0.940  Fl: 0x0300000d  Mo: 000000000000  Me: 1/5  OS:  3

This might be because the lzo archive contains time information at a
higher resolution than displayed(e.g. seconds), or possibly other
metadata.


live well,
  vagrant

Attachment: signature.asc
Description: PGP signature

Reply via email to