Bug#1037427: marked as done (newlib: reproducible builds: tarball embeds various metadata from build machine)

Thu, 07 Mar 2024 23:09:41 -0800 

Your message dated Fri, 08 Mar 2024 07:04:38 +0000
with message-id <e1riuhw-00h0dh...@fasolo.debian.org>
and subject line Bug#1037427: fixed in newlib 4.4.0.20231231-2
has caused the Debian Bug report #1037427,
regarding newlib: reproducible builds: tarball embeds various metadata from 
build machine
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1037427: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037427
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: newlib
Version: 3.3.0-1.3
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: username timestamps
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

The source tarball /usr/src/newlib/newlib-3.3.0.tar.xz embeds
timestamps, file mode, username, userid, groupname and groupid of the
build user:

  
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/newlib.html

The attached patch fixes this by passing arguments to tar in
debian/rules to ensure consistent sort order, timestamps, user, group,
uid and gid and file mode in the generated tarball.


According to my local tests, with this patch applied newlib should
become reproducible on tests.reproducible-builds.org once it migrates to
trixie/testing! Unfortunately, other issues (build paths) tested on
unstable and experimental are still unresolved.


Thanks for maintaining newlib!

live well,
  vagrant

From 9bd70cde30f64de8f34902e73768b6224b7526ed Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagr...@reproducible-builds.org>
Date: Fri, 9 Jun 2023 20:12:09 -0700
Subject: debian/rules: Pass arguments to tar for consistent sort
 order, timestamps, user, group and mode.

https://reproducible-builds.org/docs/archives/
---
 debian/rules | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index c7e4891..c4895fb 100755
--- a/debian/rules
+++ b/debian/rules
@@ -67,7 +67,12 @@ CONFIGURE_FLAGS_NANO = \
 	dh $@ -B$(BUILD_DIR) --with autotools-dev --parallel
 
 debian/newlib-$(DEB_VERSION_UPSTREAM).tar.xz:
-	tar -acf $@ --exclude=debian --exclude-vcs --exclude='*.dh-orig' `pwd`/../`basename $(TOP_DIR)`
+	tar -acf $@ --exclude=debian --exclude-vcs --exclude='*.dh-orig' \
+		--sort=name \
+		--mtime="@$(SOURCE_DATE_EPOCH)" \
+		--owner=0 --group=0 --numeric-owner \
+		--mode=go=rX,u+rw,a-s \
+		`pwd`/../`basename $(TOP_DIR)`
 
 override_dh_clean:
 	dh_clean
-- 
2.39.2

Attachment: signature.asc
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: newlib
Source-Version: 4.4.0.20231231-2
Done: Petter Reinholdtsen <p...@debian.org>

We believe that the bug you reported is fixed in the latest version of
newlib, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1037...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <p...@debian.org> (supplier of updated newlib package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 08 Mar 2024 07:19:10 +0100
Source: newlib
Architecture: source
Version: 4.4.0.20231231-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packa...@qa.debian.org>
Changed-By: Petter Reinholdtsen <p...@debian.org>
Closes: 984446 1037427 1064733
Changes:
 newlib (4.4.0.20231231-2) unstable; urgency=medium
 .
   * QA upload.
   * Upload to unstable.
 .
 newlib (4.4.0.20231231-1) experimental; urgency=medium
 .
   * QA upload.
   * Orphan package with approval from the current maintainer.
 .
   [ Vagrant Cascadian ]
   * debian/rules: Pass arguments to tar for consistency (Closes: #1037427)
 .
   [ Petter Reinholdtsen ]
   * New upstream version 4.4.0.20231231
    - Fixes CVE-2021-3420 (Closes: #984446).
    - Fixes build problem (Closes: #1064733).
   * Switched from debhelper compat level 9 to 10 to avoid deprication warning.
   * Updated to Standards-Version 4.6.2.
   * Added some metadata to d/patches/ files.
Checksums-Sha1:
 8b5b776b244a88a82c9be73fac58215f8d5460d9 2275 newlib_4.4.0.20231231-2.dsc
 8fd26bb257e735a7016774eda722bcc130174272 13736 
newlib_4.4.0.20231231-2.debian.tar.xz
 dc2af75684038e1368e3f8d109bdd0d7aa7497c9 6970 
newlib_4.4.0.20231231-2_source.buildinfo
Checksums-Sha256:
 b5afbf17238a92de3cd710f9766c499bc26c0be5fe903e8e707a91f71a6ef4b2 2275 
newlib_4.4.0.20231231-2.dsc
 7487340dd0f9a4cb17fed22b16adcf86235b3f81c22b8cf16634bc2cbec19986 13736 
newlib_4.4.0.20231231-2.debian.tar.xz
 dcebb3e6fcdcc381088e3fbebc51cd39eb1201b01d01396a5718dfc277008a46 6970 
newlib_4.4.0.20231231-2_source.buildinfo
Files:
 fc3c9757559d09f241d4b90db61c8e94 2275 devel optional 
newlib_4.4.0.20231231-2.dsc
 31d3d55a644f6d45030127722a385411 13736 devel optional 
newlib_4.4.0.20231231-2.debian.tar.xz
 55dcc00dd1b02fd08a4c67220633b289 6970 devel optional 
newlib_4.4.0.20231231-2_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEERqLf4owIeylOb9kkgSgKoIe6+w4FAmXqsRsACgkQgSgKoIe6
+w4uiw//e/tARvKRc68N+V+UyaV9u93Krs1uNhbwG/ReBhicvzCNaxKAPZxtVYHJ
FvVYAHV9zEX+gBsQS3srzP+mM+POuYVckd5zpUz11PbBVkm14tRdDTFmeB4fAUFt
nYewUIy3gFq0etmoB9cgi/1qSYsF+nTTr/bPn6dMiLXZa24GL7VhFDnXOKXrhHzI
iPu87dIz7zPGCpdCH1TZX9RB5OKbXG5jFGAiiknMcPijecXXPz/Lr2qu6wmyIJQX
vuX7tpo+VJv1NLyPVE0lyM7xsI8jJS1ajPFztGfKua8eqOQOyfzFOXwp32SQ7czj
Pebr21p2e0E/JsOYMq61Eg8A45wgbMiKQIJgDpYHFS7RH1gUln5BoF9tAVNPK87F
72jlbUai1c1cP1Sv10T8djPa/e+b6Ik+094h6gMKbSFdYTsAI++yc+uHWP0oby6r
nWP2MkQvq6uF5B+/3lbiub7uvNAc0c+DkE9JsM93ZHSHG4Gu0MGBAVdeyEE4/O8Z
l7REeEe7uB4LLW+d5ZdsLERyhUbShIjmtfqeQVYknxq4tGKqwVLOSXAnwELAzIB3
kTmOMqIkzEnZTGZiu9KnMZRhuzgAgCOCIiK082rlwI3V9ieFBMnSTq+egdnr/Ai5
q9eYyzeyhPRWWlGMRM2g8A5XXsKq7P2VKUTj6Hr0521WLyt6CDU=
=WV/G
-----END PGP SIGNATURE-----

Attachment: pgpQNGfZWeoXc.pgp
Description: PGP signature


--- End Message ---

Reply via email to