Source: newlib Version: 3.3.0-1.3 Severity: normal Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: username timestamps X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
The source tarball /usr/src/newlib/newlib-3.3.0.tar.xz embeds timestamps, file mode, username, userid, groupname and groupid of the build user: https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/newlib.html The attached patch fixes this by passing arguments to tar in debian/rules to ensure consistent sort order, timestamps, user, group, uid and gid and file mode in the generated tarball. According to my local tests, with this patch applied newlib should become reproducible on tests.reproducible-builds.org once it migrates to trixie/testing! Unfortunately, other issues (build paths) tested on unstable and experimental are still unresolved. Thanks for maintaining newlib! live well, vagrant
From 9bd70cde30f64de8f34902e73768b6224b7526ed Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian <vagr...@reproducible-builds.org> Date: Fri, 9 Jun 2023 20:12:09 -0700 Subject: debian/rules: Pass arguments to tar for consistent sort order, timestamps, user, group and mode. https://reproducible-builds.org/docs/archives/ --- debian/rules | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index c7e4891..c4895fb 100755 --- a/debian/rules +++ b/debian/rules @@ -67,7 +67,12 @@ CONFIGURE_FLAGS_NANO = \ dh $@ -B$(BUILD_DIR) --with autotools-dev --parallel debian/newlib-$(DEB_VERSION_UPSTREAM).tar.xz: - tar -acf $@ --exclude=debian --exclude-vcs --exclude='*.dh-orig' `pwd`/../`basename $(TOP_DIR)` + tar -acf $@ --exclude=debian --exclude-vcs --exclude='*.dh-orig' \ + --sort=name \ + --mtime="@$(SOURCE_DATE_EPOCH)" \ + --owner=0 --group=0 --numeric-owner \ + --mode=go=rX,u+rw,a-s \ + `pwd`/../`basename $(TOP_DIR)` override_dh_clean: dh_clean -- 2.39.2
signature.asc
Description: PGP signature