Bug#819883: debootstrap: please make the build reproducible

To: Reiner Herrmann <reiner@reiner-h.de>, 819883@bugs.debian.org
Subject: Bug#819883: debootstrap: please make the build reproducible
From: Cyril Brulebois <kibi@debian.org>
Date: Mon, 4 Apr 2016 23:11:26 +0200
Message-id: <[🔎] 20160404211126.GB6893@mraw.org>
Reply-to: Cyril Brulebois <kibi@debian.org>, 819883@bugs.debian.org
In-reply-to: <[🔎] 20160403133843.GA9256@apollo>
References: <[🔎] 20160403133843.GA9256@apollo>

Hi,

Reiner Herrmann <reiner@reiner-h.de> (2016-04-03):
> Source: debootstrap
> Version: 1.0.80
> Severity: wishlist
> Tags: patch
> User: reproducible-builds@lists.alioth.debian.org
> Usertags: fileordering
> X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org
> 
> Hi!
> 
> While working on the "reproducible builds" effort [1], we have noticed
> that debootstrap could not be built reproducibly.
> The devices.tar.gz tarball contains devices in unsorted (readdir) order.
> 
> The attached patch fixes this by telling tar to sort the archive
> members.
> 
> Regards,
>  Reiner
> 
> [1]: https://wiki.debian.org/ReproducibleBuilds

> diff --git a/Makefile b/Makefile
> index 1020cbc..07682bc 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -36,7 +36,7 @@ devices.tar.gz:
>  	chown 0:0 dev
>  	chmod 755 dev
>  	(cd dev && $(MAKEDEV) std ptmx fd consoleonly)
> -	tar --mtime="$(DATE)" -cf - dev | gzip -9n >devices.tar.gz
> +	tar --sort=name --mtime="$(DATE)" -cf - dev | gzip -9n >devices.tar.gz
>  	@if [ "$$(tar tvf devices.tar.gz | wc -l)" -lt 2 ]; then \
>  		echo " ** devices.tar.gz is empty!" >&2; \
>  		exit 1; \
> diff --git a/debian/control b/debian/control
> index 46e2b93..40cfbcd 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -3,7 +3,7 @@ Section: admin
>  Priority: extra
>  Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
>  Uploaders: Junichi Uekawa <dancer@debian.org>, Colin Watson <cjwatson@debian.org>, Christian Perrier <bubulle@debian.org>, Steve McIntyre <93sam@debian.org>
> -Build-Depends: debhelper (>= 9), makedev (>= 2.3.1-69) [linux-any]
> +Build-Depends: debhelper (>= 9), makedev (>= 2.3.1-69) [linux-any], tar (>= 1.28)
>  Standards-Version: 3.9.6
>  Vcs-Browser: https://anonscm.debian.org/cgit/d-i/debootstrap.git
>  Vcs-Git: https://anonscm.debian.org/git/d-i/debootstrap.git

Thanks for the patch.

I'm not sure it's reasonable to introduce a versioned build-dep on tar
at this point: 1.28 is only available in sid and stretch, and we tend to
backport debootstrap semi-regularly to stable.

Is there any chance we could detect which tar version/features we have,
and only add --sort=name when it's fine to do so?


KiBi.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#819883: debootstrap: please make the build reproducible
  - From: Reiner Herrmann <reiner@reiner-h.de>

References:
- Bug#819883: debootstrap: please make the build reproducible
  - From: Reiner Herrmann <reiner@reiner-h.de>

Prev by Date: Re: Concatenateable images (armhf) currently not working?
Next by Date: Bug#819883: debootstrap: please make the build reproducible
Previous by thread: Bug#819883: debootstrap: please make the build reproducible
Next by thread: Bug#819883: debootstrap: please make the build reproducible
Index(es):
- Date
- Thread