Bug#920631: debian-installer: Ensure build is reproducible regardless of the user's umask(2)
Package: debian-installer
Severity: wishlist
Version: 20190118
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: toolchain environment
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
Hi,
Attached is the following:
commit 74d332d454fa246af50b469e2c5dec73e452572c
Author: Chris Lamb <lamby@debian.org>
Date: Sun Jan 27 17:31:43 2019 +0100
Ensure build is reproducible regardless of the user's umask(2).
Set consistent file creation modes at strategic points to ensure that the
resulting build is reproducible regardless of whether the user is using the
default Debian umask (022) or another (eg. 002).
build/Makefile | 16 ++++++++++++----
build/config/common | 5 +++++
2 files changed, 17 insertions(+), 4 deletions(-)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
>From 74d332d454fa246af50b469e2c5dec73e452572c Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Sun, 27 Jan 2019 17:31:43 +0100
Subject: [PATCH] Ensure build is reproducible regardless of the user's
umask(2).
Set consistent file creation modes at strategic points to ensure that the
resulting build is reproducible regardless of whether the user is using the
default Debian umask (022) or another (eg. 002).
---
build/Makefile | 16 ++++++++++++----
build/config/common | 5 +++++
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/build/Makefile b/build/Makefile
index 2e6a0c76c..f6535a04f 100644
--- a/build/Makefile
+++ b/build/Makefile
@@ -146,6 +146,11 @@ define clamp_mtimes
find $(1) -newermt "@$(SOURCE_DATE_EPOCH)" -print0 | xargs -0r touch --no-dereference --date="@$(SOURCE_DATE_EPOCH)"
endef
+define normalise_permissions
+ find $(1) -type d -print0 | xargs -0r chmod $(DIR_MODE)
+ find $(1) -type f -print0 | xargs -0r chmod $(FILE_MODE)
+endef
+
# Limit on mfsroot size. It is determined by NKPT (in <machine/pmap.h).
# On amd64, it can be increased by increasing this variable. On i386,
# this is a hard limit due to constraints of 4 GiB VM space.
@@ -312,6 +317,7 @@ release:
cd $(BASE_DEST) && sha256sum `find -L . -type f | sort` > SHA256SUMS
# We have just modified files
$(clamp_mtimes) $(BASE_DEST)
+ $(normalise_permissions) $(BASE_DEST)
# The general tree target.
$(STAMPS)tree-unpack-$(targetstring)-stamp: $(STAMPS)get_udebs-$(targetstring)-stamp
@@ -654,9 +660,10 @@ endif
# Remove extra udebs now that we're done with them.
rm -rf $(EXTRAUDEBSDIR)
- # Clamp timestamps to be no later than SOURCE_DATE_EPOCH before they
- # get added to media.
+ # Clamp timestamps to be no later than SOURCE_DATE_EPOCH and normalise
+ # file modes before they get added to media.
$(clamp_mtimes) $(TREE)
+ $(normalise_permissions) $(TREE)
# Tree target ends here. Whew!
@touch $@
@@ -754,9 +761,10 @@ ifeq ($(DEB_HOST_ARCH_OS),hurd)
fi
endif
- # We may have modified $(TREE)/lib, so re-clamp before placing these
- # files into archives.
+ # We may have modified $(TREE)/lib, so re-clamp and normalise before
+ # placing these files into archives.
$(clamp_mtimes) $(TREE)/lib
+ $(normalise_permissions) $(TREE)/lib
install -d $(TEMP)
diff --git a/build/config/common b/build/config/common
index 9409dfd8f..0dcdd04be 100644
--- a/build/config/common
+++ b/build/config/common
@@ -69,6 +69,11 @@ SOURCE_DATE_EPOCH ?= $(shell date '+%s')
# to reproduce the build.
BUILD_DATE ?= $(shell date -u '+%Y%m%d-%H:%M:%S' -d '@$(SOURCE_DATE_EPOCH)')
+# Set consistent file creation modes for a reproducible build, taking care not
+# to modify existing executable bits on files.
+DIR_MODE = 755
+FILE_MODE = u+rw,g+r-w,o+r-w
+
# Produce a beep at boot menu
BOOTMENU_BEEP ?= n
--
2.20.1
Reply to: