Bug#858431: strip-nondeterminism does not normalize Unix ownership from zip archives or .epub files

[Chris Lamb]

tags 858431 + pending
thanks

This is fixed in Git, pending upload:

  
https://salsa.debian.org/reproducible-builds/strip-nondeterminism/commit/f40f555085eeb086bfd4ee1fca1012550790a12d

  Makefile.PL  |  1 +
  lib/File/StripNondeterminism/handlers/zip.pm | 31 +++-
  2 files changed, 27 insertions(+), 5 deletions(-)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#858431: strip-nondeterminism does not normalize Unix ownership from zip archives or .epub files

[Chris Lamb]

forcemerge 858431 920732
retitle 858431 strip-nondeterminism does not normalize Unix ownership from zip 
archives or .epub files 
tags 858431 - wontfix
thanks

Two changes here:

 * .epub files are "just" .zip files, so merging and retitling to
match.

 * Unmarking as wontfix; re-reading https://bugs.debian.org/858431#22,
   I believe we should indeed be normalising these.


Best wishes,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#858431: strip-nondeterminism does not normalize Unix ownership from zip archives

[Chris Lamb]

forwarded 858431 
https://salsa.debian.org/reproducible-builds/strip-nondeterminism/issues/4
thanks

I've forwarded this upstream here:

  https://salsa.debian.org/reproducible-builds/strip-nondeterminism/issues/4


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#858431: strip-nondeterminism does not normalize Unix ownership from zip archives

[Reiner Herrmann]

On Wed, Mar 22, 2017 at 07:29:03PM +, Chris Lamb wrote:
> > > What I expect to see, and believe should happen, is all UIDs and GIDs in
> > > the zip archive become 0, owned by root.
> > 
> > That would be inconsistent with the current behaviour with tarballs,
> > which also contain UIDs and GIDs and AFAIK are kept untouched by
> > strip-nondeterminism.

tarballs are currently not touched/supported at all by strip-nondeterminism.

> Indeed, and given that we would want the behaviour to be consistent across
> archive formats and I think this goes beyond what strip-nondetermism should
> do, I am marking this as wontfix.

I think it would be more consistent to also normalize UID/GID in zip files,
as this is some non-determinism (that should be stripped).
And strip-nondeterminism currently also normalizes permissions to 755/644,
which is a bit related to UID/GID.


signature.asc
Description: Digital signature

Bug#858431: strip-nondeterminism does not normalize Unix ownership from zip archives

[Chris Lamb]

tags 858431 + wontfix
thanks

Santiago Vila wrote:

> > What I expect to see, and believe should happen, is all UIDs and GIDs in
> > the zip archive become 0, owned by root.
> 
> That would be inconsistent with the current behaviour with tarballs,
> which also contain UIDs and GIDs and AFAIK are kept untouched by
> strip-nondeterminism.

Indeed, and given that we would want the behaviour to be consistent across
archive formats and I think this goes beyond what strip-nondetermism should
do, I am marking this as wontfix.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#858431: strip-nondeterminism does not normalize Unix ownership from zip archives

[Santiago Vila]

On Wed, Mar 22, 2017 at 03:48:02AM -0700, Mike Swanson wrote:

> root@turanga:sn# strip-nondeterminism ?.zip
> root@turanga:sn# bsdtar -tvf 1.zip
> -rwxr-xr-x  0 0  0   0 Mar 22 03:44 root
> -rw-r--r--  0 1000   10010 Mar 22 03:44 user
> root@turanga:sn# bsdtar -tvf 2.zip
> -rwxr-xr-x  0 0  0   0 Mar 22 03:44 root
> -rw-r--r--  0 1001   10020 Mar 22 03:44 user
> 
> What I expect to see, and believe should happen, is all UIDs and GIDs in
> the zip archive become 0, owned by root.

That would be inconsistent with the current behaviour with tarballs,
which also contain UIDs and GIDs and AFAIK are kept untouched by
strip-nondeterminism.

If those zipfiles are created in the build target of debian/rules,
why not just use "fakeroot tar czvf tarball.tar.gz file1 file2" or
"fakeroot zip zipfile.zip file1 file2"?

Also: What if the zipfile or the tarball comes from the orig.tar.gz
and we don't want to alter it in any way?

Thanks.

Bug#858431: strip-nondeterminism does not normalize Unix ownership from zip archives

[Mike Swanson]

Package: strip-nondeterminism
Version: 0.031-1

Zip archives may contain Unix metadata about its member files, including
ownership, mode, and so forth.

strip-nondeterminism fails to correct for ownership, allowing for
archives to be created and maintained with basically arbitrary and
unpredictable UIDs/GIDs, normally the UIDs/GIDs of the user the archive
is being created under.  Example run (starting out with an empty
directory):

chungy@turanga:sn$ fakeroot
root@turanga:sn# mkdir 1 2
root@turanga:sn# touch {1,2}/{root,user}
root@turanga:sn# chown 1000:1001 1/user && chown 1001:1002 2/user
root@turanga:sn# chmod 700 1/root 2/root
root@turanga:sn# zip -qj 1.zip 1/root 1/user && zip -qj 2.zip 2/user
2/root
root@turanga:sn# bsdtar -tvf 1.zip
-rwx--  0 0  0   0 Mar 22 03:44 root
-rw-r--r--  0 1000   10010 Mar 22 03:44 user
root@turanga:sn# bsdtar -tvf 2.zip
-rw-r--r--  0 1001   10020 Mar 22 03:44 user
-rwx--  0 0  0   0 Mar 22 03:44 root
root@turanga:sn# strip-nondeterminism ?.zip
root@turanga:sn# bsdtar -tvf 1.zip
-rwxr-xr-x  0 0  0   0 Mar 22 03:44 root
-rw-r--r--  0 1000   10010 Mar 22 03:44 user
root@turanga:sn# bsdtar -tvf 2.zip
-rwxr-xr-x  0 0  0   0 Mar 22 03:44 root
-rw-r--r--  0 1001   10020 Mar 22 03:44 user

What I expect to see, and believe should happen, is all UIDs and GIDs in
the zip archive become 0, owned by root.