Bug#1010378: leds-alix: reproducible builds: source tarball embeds timestamps and umask

To: submit@bugs.debian.org
Subject: Bug#1010378: leds-alix: reproducible builds: source tarball embeds timestamps and umask
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Fri, 29 Apr 2022 15:25:03 -0700
Message-id: <[🔎] 87fslv5xz4.fsf@yucca>
Reply-to: Vagrant Cascadian <vagrant@reproducible-builds.org>, 1010378@bugs.debian.org

Source: leds-alix
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps umask
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

leds-alix-source embeds the timestamp and file permissions determined by
umask in the leds-alix source tarball:

  https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/leds-alix.html

  /usr/src/leds-alix.tar.bz2

  -rw-r--r--···0·root·········(0)·root·········(0)·····3610·2022-04-15·23:37:31.000000·modules/leds-alix/leds-alix.c
vs.
  -rw-rw-r--···0·root·········(0)·root·········(0)·····3610·2023-05-19·06:01:18.000000·modules/leds-alix/leds-alix.c

The attached patch fixes this by passing arguments to tar in
debian/rules to ensure consistent timestamp, file permissions, sort
order, user, group, uid and gid in the generated tarball.


With this patch applied, leds-alix should become reproducible on
tests.reproducible-builds.org!


live well,
  vagrant

From 7f79cf28e70fdc2c0832f10517f29f7a9be3b61e Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Fri, 29 Apr 2022 21:35:18 +0000
Subject: [PATCH 1/2] debian/rules: Generate tarball reproducibly.

Pass arguments to tar to set sort order, timestamps, owner, group and
mode.
---
 debian/rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/debian/rules b/debian/rules
index 1068a59..59012aa 100755
--- a/debian/rules
+++ b/debian/rules
@@ -48,7 +48,7 @@ install: build
 	dh_installdirs -p$(psource)  usr/src/modules/$(sname)/debian
 	cp Makefile leds-alix.c $(DESTDIR)
 	cp debian/*modules.in* debian/control debian/rules debian/changelog debian/copyright debian/README.Debian $(DESTDIR)/debian
-	cd debian/$(psource)/usr/src && tar c modules | bzip2 -9 > $(sname).tar.bz2 && rm -rf modules
+	cd debian/$(psource)/usr/src && tar --sort=name --mtime="@$(SOURCE_DATE_EPOCH)" --owner=0 --group=0 --numeric-owner --mode=go=rX,u+rw,a-s --create modules | bzip2 -9 > $(sname).tar.bz2 && rm -rf modules
 	dh_install
 
 binary-indep: build install
-- 
2.30.2

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1010378: marked as done (leds-alix: reproducible builds: source tarball embeds timestamps and umask)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1008569: unar: diff for NMU version 1.10.1-3
Next by Date: Bug#1010378: marked as done (leds-alix: reproducible builds: source tarball embeds timestamps and umask)
Previous by thread: Bug#1008569: unar: diff for NMU version 1.10.1-3
Next by thread: Bug#1010378: marked as done (leds-alix: reproducible builds: source tarball embeds timestamps and umask)
Index(es):
- Date
- Thread