Source: unzip Version: 6.0-16 Severity: wishlist Tags: patch User: reproducible-builds@lists.alioth.debian.org Usertags: timestamps fileordering
Hi! While working on the “reproducible builds” effort [1], we have noticed that unzip could not be built reproducibly. The attached patch removes timestamps from gzip files and from the binary. It also make the mtime of files in the binary package deterministic, and sort the md5sums file in order to make its content independent from the filesystem ordering. Once applied, unzip can be built reproducibly in our current experimental framework. [1]: https://wiki.debian.org/ReproducibleBuilds -- Lunar .''`. lu...@debian.org : :Ⓐ : # apt-get install anarchism `. `'` `-
diff -Nru unzip-6.0/debian/changelog unzip-6.0/debian/changelog --- unzip-6.0/debian/changelog 2015-01-30 22:16:15.000000000 +0100 +++ unzip-6.0/debian/changelog 2015-04-18 22:17:06.000000000 +0200 @@ -1,3 +1,13 @@ +unzip (6.0-16.0~reproducible1) UNRELEASED; urgency=low + + * Make the package build reproducibly: + - Add a patch to remove the build date from the binary. + - Prevent gzip from storing the current time. + - Make sure that the mtime of shipped are deterministic. + - Write md5sums in a stable order. + + -- Jérémy Bobbio <lu...@debian.org> Sat, 18 Apr 2015 21:59:37 +0200 + unzip (6.0-16) unstable; urgency=medium * Update 09-cve-2014-8139-crc-overflow to fix CVE-2014-8139 diff -Nru unzip-6.0/debian/patches/13-remove-build-date unzip-6.0/debian/patches/13-remove-build-date --- unzip-6.0/debian/patches/13-remove-build-date 1970-01-01 01:00:00.000000000 +0100 +++ unzip-6.0/debian/patches/13-remove-build-date 2015-04-18 21:59:26.000000000 +0200 @@ -0,0 +1,16 @@ +Description: Remove build date + In order to make unzip build reproducibly, we remove the + (already optional) build date from the binary. +Author: Jérémy Bobbio <lu...@debian.org> + +--- unzip-6.0.orig/unix/unix.c ++++ unzip-6.0/unix/unix.c +@@ -1705,7 +1705,7 @@ void version(__G) + #endif /* Sun */ + #endif /* SGI */ + +-#ifdef __DATE__ ++#if 0 + " on ", __DATE__ + #else + "", "" diff -Nru unzip-6.0/debian/patches/series unzip-6.0/debian/patches/series --- unzip-6.0/debian/patches/series 2015-01-30 22:11:36.000000000 +0100 +++ unzip-6.0/debian/patches/series 2015-04-18 21:58:19.000000000 +0200 @@ -10,3 +10,4 @@ 10-cve-2014-8140-test-compr-eb 11-cve-2014-8141-getzip64data 12-cve-2014-9636-test-compr-eb +13-remove-build-date diff -Nru unzip-6.0/debian/rules unzip-6.0/debian/rules --- unzip-6.0/debian/rules 2014-12-30 22:12:27.000000000 +0100 +++ unzip-6.0/debian/rules 2015-04-18 22:17:57.000000000 +0200 @@ -22,6 +22,8 @@ DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +BUILD_DATE := $(shell dpkg-parsechangelog -S Date) + ifneq ($(DEB_HOST_GNU_TYPE),$(DEB_BUILD_GNU_TYPE)) CC=$(DEB_HOST_GNU_TYPE)-gcc STRIPCMD=$(DEB_HOST_GNU_TYPE)-strip @@ -56,17 +58,20 @@ cat debian/copyright.in LICENSE > $(docdir)/copyright cp debian/changelog $(docdir)/changelog.Debian cp -p History.* BUGS ToDo $(docdir) - cd $(docdir) && gzip -9 changelog.Debian History.* + cd $(docdir) && gzip -9n changelog.Debian History.* ln -s $(history).gz $(docdir)/changelog.gz cd debian/tmp/usr/bin && $(STRIP) funzip unzip unzipsfx zipinfo - gzip -r9 debian/tmp/usr/man + gzip -r9n debian/tmp/usr/man cd debian/tmp && mv usr/man usr/share dpkg-shlibdeps debian/tmp/usr/bin/unzip dpkg-gencontrol cd debian/tmp && \ - md5sum `find * -type f ! -regex "DEBIAN/.*"` > DEBIAN/md5sums + find * -type f ! -regex "DEBIAN/.*" -print0 | \ + LC_ALL=C sort -z | xargs -0r md5sum > DEBIAN/md5sums chown -R 0:0 debian/tmp chmod -R go=rX debian/tmp + find 'debian/tmp' -depth -newermt '$(BUILD_DATE)' -print0 | \ + xargs -0r touch --no-dereference --date='$(BUILD_DATE)' dpkg --build debian/tmp .. binary: binary-indep binary-arch
signature.asc
Description: Digital signature
_______________________________________________ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
