Bug#996572: gcc-arm-none-eabi: reproducible builds: source tarball includes non-deterministic files

[Vagrant Cascadian]

Source: gcc-arm-none-eabi
Severity: normal
Tags: patch
User: reproducible-bui...@lists.alioth.debian.org
Usertags: randomness username timestamps fileordering
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org

The file /autom4te.cache/requests includes non-deterministic ordering,
and is shipped inside /usr/src/gcc-arm-none-eabi-source.tar.xz

  
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/gcc-arm-none-eabi.html

Patch to debian/rules attached which excludes autom4ate.cache from the
tarball, as well as sorting by name, set the user and group ids, and
setting the timestamp using SOURCE_DATE_EPOCH. These additional
normalizations will be needed if Rules-Requires-Root is ever enabled.

It might be worth considering excluding .pc from the tarball as well;
though this isn't strictly necessary for reproducible builds.


This patch alone does not fix all reproducibility issues (e.g. build
paths, which are only tested on unstable and experimental), but with the
patch from #996194 applied, this should become reproducible once it
migrates to bookworm.


Thanks for maintaining gcc-arm-none-eabi!


live well,
  vagrant

From 5d35d46092e41d95d3f9e76d8043c044ddbdca07 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagr...@reproducible-builds.org>
Date: Fri, 15 Oct 2021 17:07:51 +0000
Subject: [PATCH 2/3] debian/rules: Generate tarball reproducibly.

Exclude autom4ate.cache directory (contains autogenerated
non-deterministic files), sort by name, set the user and group ids,
and set timestamp using SOURCE_DATE_EPOCH.
---
 debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index 07d9a2571..8f2e6526a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -101,7 +101,7 @@ override_dh_strip:
 override_dh_install:
 	dh_install -p$(PACKAGE_GCC) --sourcedir $(GCC_DEB_TMP_DIR)
 	mkdir -p $(GCC_SOURCE_DEB_TMP_DIR)/usr/src
-	tar --exclude=build --exclude=.git --exclude=debian -C $(TOP_DIR) -c -f - . | xz -T0 > $(GCC_SOURCE_DEB_TMP_DIR)/usr/src/$(PACKAGE_GCC_SOURCE).tar.xz
+	tar --exclude=build --exclude=.git --exclude=debian --exclude=autom4te.cache --sort=name --mtime="@$(SOURCE_DATE_EPOCH)" --owner=0 --group=0 --numeric-owner -C $(TOP_DIR) -c -f - . | xz -T0 > $(GCC_SOURCE_DEB_TMP_DIR)/usr/src/$(PACKAGE_GCC_SOURCE).tar.xz
 	dh_install -p$(PACKAGE_GCC_SOURCE) --sourcedir $(GCC_SOURCE_DEB_TMP_DIR)
 
 override_dh_compress:
-- 
2.30.2

signature.asc
Description: PGP signature