Your message dated Mon, 16 Jan 2017 18:03:49 +0000 with message-id <E1cTBdF-000Ghw-DQ@fasolo.debian.org> and subject line Bug#783210: fixed in glibc 2.24-9 has caused the Debian Bug report #783210, regarding glibc: please make the package build reproducibly to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 783210: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783210 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: glibc: please make the package build reproducibly
- From: Jérémy Bobbio <lunar@debian.org>
- Date: Thu, 23 Apr 2015 23:30:11 +0200
- Message-id: <20150423213011.GD3712@loar>
- Mail-followup-to: submit@bugs.debian.org
Source: glibc Version: 2.19-18 Severity: wishlist Tags: patch User: reproducible-builds@lists.alioth.debian.org Usertags: timestamps fileordering umask username uname Hi! While working on the “reproducible builds” effort [1], we have noticed that glibc could not be built reproducibly. The attached patch addresses several issues: 1. The source tarball will now stay identical despite variations of the time of the build, user, group, umask and file ordering. 2. version-info.h currently captures the build time and the current kernel version. In the context of Debian this is not really useful and a new patch simply removes it. The behavior is now the same if built under Linux or not. 3. nscd uses the date and time of the build as a version marker. So a patch is added to allow the build date to be set externally. The date of the latest debian/changelog entry will be used instead of the current time for Debian. Once applied, glibc can be built reproducibly in our current experimental framework. [1]: https://wiki.debian.org/ReproducibleBuilds -- Lunar .''`. lunar@debian.org : :Ⓐ : # apt-get install anarchism `. `'` `-diff --git a/debian/changelog b/debian/changelog index a06fc11..fbb6d32 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +glibc (2.19-18.0~reproducible1) UNRELEASED; urgency=low + + * Make the package build reproducibly: + - any/local-reproducible-version-info.diff: new patch to remove build + system information and build date from version-info.h. + - any/unsubmitted-allow-to-set-build-date.diff: allow to set the + build date through an environment variable when running ./configure. + This is then used in nscd. + - Set the previously mentioned build date to the latest debian/changelog + entry. + - Create source tarball in a deterministic manner: adjust file + modification time, user, group, permissions, and file order. + + -- Jérémy Bobbio <lunar@debian.org> Thu, 23 Apr 2015 11:18:59 +0200 + glibc (2.19-18) unstable; urgency=medium [ Aurelien Jarno ] diff --git a/debian/patches/any/local-reproducible-version-info.diff b/debian/patches/any/local-reproducible-version-info.diff new file mode 100644 index 0000000..06012ea --- /dev/null +++ b/debian/patches/any/local-reproducible-version-info.diff @@ -0,0 +1,49 @@ +To enable glibc to build reproducibly, we remove build system information +and build date from version-info.h. + +diff --git a/csu/Makefile b/csu/Makefile +index b5afea0..211c2e6 100644 +--- a/csu/Makefile ++++ b/csu/Makefile +@@ -133,40 +133,7 @@ all-Banner-files = $(wildcard $(addsuffix /Banner,\ + $(sysdeps-srcdirs)))) + $(objpfx)version-info.h: $(common-objpfx)config.make $(all-Banner-files) + $(make-target-directory) +- (case $(config-os) in \ +- linux*) version=`(printf '%s\n%s\n' \ +- '#include <linux/version.h>' \ +- UTS_RELEASE \ +- | $(CC) $(CPPFLAGS) -O -E -P - -DNOT_IN_libc=1 | \ +- sed -e 's/"\([^"]*\)".*/\1/p' -e d) 2>/dev/null`;\ +- if [ -z "$$version" ]; then \ +- version=`(printf '%s\n%s\n' \ +- '#include <linux/version.h>' \ +- LINUX_VERSION_CODE \ +- | $(CC) $(CPPFLAGS) -O -E -P - -DNOT_IN_libc=1 \ +- | sed -n -e '/^[123456789].*/p' \ +- | awk '{v=$$1; \ +- printf("%d.%d.%d\n", \ +- v/65535, v/256%256, v%256)}') \ +- 2>/dev/null`; \ +- fi; \ +- if [ -z "$$version" ]; then \ +- if [ -r /proc/version ]; then \ +- version=`sed 's/.*Linux version \([^ ]*\) .*/>>\1<</' \ +- < /proc/version`; \ +- else \ +- version=`uname -r`; \ +- fi; \ +- fi; \ +- os=`uname -s 2> /dev/null`; \ +- if [ -z "$$os" ]; then \ +- os=Linux; \ +- fi; \ +- printf '"Compiled on a %s %s system on %s.\\n"\n' \ +- "$$os" "$$version" "`date +%Y-%m-%d`";; \ +- *) ;; \ +- esac; \ +- files="$(all-Banner-files)"; \ ++ (files="$(all-Banner-files)"; \ + if test -n "$$files"; then \ + printf '"Available extensions:\\n"\n'; \ + sed -e '/^#/d' -e 's/^[[:space:]]*/ /' \ diff --git a/debian/patches/any/unsubmitted-allow-to-set-build-date.diff b/debian/patches/any/unsubmitted-allow-to-set-build-date.diff new file mode 100644 index 0000000..df7662a --- /dev/null +++ b/debian/patches/any/unsubmitted-allow-to-set-build-date.diff @@ -0,0 +1,75 @@ +nscd uses the date and time of the build as a version marker. In order to allow +builds to be reproducible, we now allow the date to be set by the environment +variable BUILD_DATE when running ./configure. + +diff --git a/config.h.in b/config.h.in +index 40797e7..02ccb2d 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -246,3 +246,6 @@ + #undef HAVE_MIPS_NAN2008 + + #endif ++ ++/* Date and time of the build. */ ++#undef BUILD_DATE +diff --git a/configure.ac b/configure.ac +index f3dd87d..aa0b30d 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2173,6 +2173,11 @@ RELEASE=`sed -n -e 's/^#define RELEASE "\([^"]*\)"/\1/p' < $srcdir/version.h` + AC_SUBST(VERSION) + AC_SUBST(RELEASE) + ++if "x$BUILD_DATE" = x; then ++ BUILD_DATE=`LC_ALL=C date -u '+%b %_d %Y %H:%M:%S'` ++fi ++AC_DEFINE_UNQUOTED([BUILD_DATE], ["$BUILD_DATE"], "Date and time of the build.") ++ + AC_CONFIG_FILES([config.make Makefile]) + AC_CONFIG_COMMANDS([default],[[ + case $CONFIG_FILES in *config.make*) +diff --git a/configure b/configure +index fc023d0..b03be3f 100755 +--- a/configure ++++ b/configure +@@ -7387,6 +7394,15 @@ + + + ++if "x$BUILD_DATE" = x; then ++ BUILD_DATE=`LC_ALL=C date -u '+%b %_d %Y %H:%M:%S'` ++fi ++ ++cat >>confdefs.h <<_ACEOF ++#define BUILD_DATE "$BUILD_DATE" ++_ACEOF ++ ++ + ac_config_files="$ac_config_files config.make Makefile" + + ac_config_commands="$ac_config_commands default" +diff --git a/nscd/nscd_stat.c b/nscd/nscd_stat.c +index 997ff46..1e75b84 100644 +--- a/nscd/nscd_stat.c ++++ b/nscd/nscd_stat.c +@@ -28,6 +28,7 @@ + #include <libintl.h> + + #include "nscd.h" ++#include "config.h" + #include "dbg_log.h" + #include "selinux.h" + #ifdef HAVE_SELINUX +@@ -37,7 +38,11 @@ + + + /* We use this to make sure the receiver is the same. */ ++#ifdef BUILD_DATE ++static const char compilation[21] = BUILD_DATE; ++#else + static const char compilation[21] = __DATE__ " " __TIME__; ++#endif + + /* Statistic data for one database. */ + struct dbstat diff --git a/debian/patches/series b/debian/patches/series index a5f9cac..5a95f62 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -272,3 +272,5 @@ any/cvs-getnetbyname.diff any/cvs-vfprintf.diff any/cvs-wscanf.diff any/cvs-ldconfig-aux-cache.diff +any/local-reproducible-version-info.diff +any/unsubmitted-allow-to-set-build-date.diff diff --git a/debian/rules b/debian/rules index 24167cd..e483a4e 100755 --- a/debian/rules +++ b/debian/rules @@ -58,6 +58,11 @@ DEB_SOURCE_PACKAGE := $(strip $(shell egrep '^Source: ' debian/control | cut -f DEB_VERSION := $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ') GLIBC_VERSION = $(shell echo $(DEB_VERSION) | sed -e 's/.*://' -e 's/-.*//') +DEB_BUILD_DATE := $(shell dpkg-parsechangelog -S Date) +# this one will be picked by configure script +BUILD_DATE = $(shell date -u +'%b %_d %Y %H:%M:%S' -d '$(DEB_BUILD_DATE)') +export BUILD_DATE + DEB_BUILDDIR ?= $(build-tree)/$(DEB_HOST_ARCH)-$(curpass) GLIBC_SOURCES = $(addprefix $(shell basename $(CURDIR))/, \ diff --git a/debian/rules.d/build.mk b/debian/rules.d/build.mk index 4df383c..91b8cab 100644 --- a/debian/rules.d/build.mk +++ b/debian/rules.d/build.mk @@ -275,9 +275,17 @@ endif $(stamp)source: $(stamp)patch mkdir -p $(build-tree) - tar -c -J -C .. \ - -f $(build-tree)/glibc-$(GLIBC_VERSION).tar.xz \ - $(GLIBC_SOURCES) + cd .. && \ + find $(GLIBC_SOURCES) -depth -newermt '$(DEB_BUILD_DATE)' \ + -print0 | \ + xargs -0r touch --no-dereference --date='$(DEB_BUILD_DATE)' + cd .. && \ + find $(GLIBC_SOURCES) -print0 | \ + LC_ALL=C sort -z | \ + tar -c -J --null -T - --no-recursion \ + --mode=go=rX,u+rw,a-s \ + --owner=root --group=root --numeric-owner \ + -f $(CURDIR)/$(build-tree)/glibc-$(GLIBC_VERSION).tar.xz mkdir -p debian/glibc-source/usr/src/glibc tar cf - --files-from debian/glibc-source.filelist \ | tar -x -C debian/glibc-source/usr/src/glibc -f -Attachment: signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
- To: 783210-close@bugs.debian.org
- Subject: Bug#783210: fixed in glibc 2.24-9
- From: Aurelien Jarno <aurel32@debian.org>
- Date: Mon, 16 Jan 2017 18:03:49 +0000
- Message-id: <E1cTBdF-000Ghw-DQ@fasolo.debian.org>
Source: glibc Source-Version: 2.24-9 We believe that the bug you reported is fixed in the latest version of glibc, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 783210@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Aurelien Jarno <aurel32@debian.org> (supplier of updated glibc package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 16 Jan 2017 18:43:37 +0100 Source: glibc Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3 libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390 libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64 libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32 libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32 libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67 libc0.1-i686 libc0.3-i686 libc6-i686 Architecture: source Version: 2.24-9 Distribution: unstable Urgency: medium Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org> Changed-By: Aurelien Jarno <aurel32@debian.org> Description: glibc-doc - GNU C Library: Documentation glibc-source - GNU C Library: sources libc-bin - GNU C Library: Binaries libc-dev-bin - GNU C Library: Development binaries libc-l10n - GNU C Library: localization files libc0.1 - GNU C Library: Shared libraries libc0.1-dbg - GNU C Library: detached debugging symbols libc0.1-dev - GNU C Library: Development Libraries and Header Files libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64 libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64 libc0.1-i686 - transitional dummy package libc0.1-pic - GNU C Library: PIC archive library libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb) libc0.3 - GNU C Library: Shared libraries libc0.3-dbg - GNU C Library: detached debugging symbols libc0.3-dev - GNU C Library: Development Libraries and Header Files libc0.3-i686 - transitional dummy package libc0.3-pic - GNU C Library: PIC archive library libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb) libc0.3-xen - GNU C Library: Shared libraries [Xen version] libc6 - GNU C Library: Shared libraries libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64 libc6-dbg - GNU C Library: detached debugging symbols libc6-dev - GNU C Library: Development Libraries and Header Files libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64 libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64 libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64 libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64 libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for ppc64 libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64 libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64 libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64 libc6-i686 - transitional dummy package libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64 libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64 libc6-pic - GNU C Library: PIC archive library libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64 libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64 libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC libc6-udeb - GNU C Library: Shared libraries - udeb (udeb) libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64 libc6-xen - GNU C Library: Shared libraries [Xen version] libc6.1 - GNU C Library: Shared libraries libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized) libc6.1-dbg - GNU C Library: detached debugging symbols libc6.1-dev - GNU C Library: Development Libraries and Header Files libc6.1-pic - GNU C Library: PIC archive library libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb) locales - GNU C Library: National Language (locale) data [support] locales-all - GNU C Library: Precompiled locale data multiarch-support - Transitional package to ensure multiarch compatibility nscd - GNU C Library: Name Service Cache Daemon Closes: 783210 796106 847596 850182 850565 Changes: glibc (2.24-9) unstable; urgency=medium . [ Samuel Thibault ] * hurd-i386/tg-libpthread-gsync-mutex.diff: Update patch, fixes trylock error return. * hurd-i386/tg-magic-pid.diff: New patch, add support for /proc/self. * hurd-i386/tg-mlockall.diff: New patch, add support for mlockall. - control: Bump gnumach-dev build-depend accordingly. * hurd-i386/tg-gsync-libc.diff: Fix linking against built libmachuser instead of installed libmachuser. * libc0.3.symbols.hurd-i386: Add vm_wire_all symbols. . [ Aurelien Jarno ] * debian/sysdeps/{amd64,i386,x32}.mk: disable lock elision (aka Intel TSX) on x86 architectures. This causes programs (wrongly) unlocking an already unlocked mutex to abort. More importantly most of the other distributions decided to disable it, so we don't want to be the only distribution left testing this code path. Closes: #850182. * debian/rules.d/build.mk: pass --no-recursion before -T in the call to tar to workaround or fix bug#829738. This reduces the size of the glibc-source package by 40% * debian/patches/localedata/supported.diff: rename the kk_KZ locale with the RK1048 charset to kk_KZ.RK1048 to avoid conflicting with the kk_KZ locale with the PT154 charset. Closes: #847596. * debian/patches/git-updates.diff: update from upstream stable branch: - debian/patches/alpha/submitted-math-fixes.diff: Drop, merged upstream. * patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a NULL pointer dereference in libresolv when receiving a T_UNSPEC internal QTYPE (CVE-2015-5180). Closes: #796106. * Make the package build reproducibly, thanks to Ximin Luo for the patch. Closes: #783210. - debian/rules: export SOURCE_DATE_EPOCH when not building with dpkg-buildpackage. - debian/rules.d/build.mk: use --clamp-mtime instead of touching the files. - debian/rules.d/debhelper.mk: do not chmod +x the shell script, call it with sh instead. * debian/rules.d/control.mk: Add the sh3 architecture to libc6_archs. Closes: #850565. Checksums-Sha1: 55330e604868f98ee591d296f1f6606049ed7bf3 8351 glibc_2.24-9.dsc 8451261dd2f792c726a28535949f767437c40192 973160 glibc_2.24-9.debian.tar.xz Checksums-Sha256: c7ca2d54ff9b5e1cc32db75b9430d8caa51aa6c6b6aa40d06f7823905fcf7cc6 8351 glibc_2.24-9.dsc 942db07a2d095530aa2d54d55b4acddfe93b53abc4599c20d9705b0f95a740fe 973160 glibc_2.24-9.debian.tar.xz Files: 3c9ffbdb695c7a8ef8c6f6a834d6c738 8351 libs required glibc_2.24-9.dsc fbfb8f0fa5e1c79046406b55730ac274 973160 libs required glibc_2.24-9.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEd0YmQqnvlP0Pdxltupx4Bh3djJsFAlh9BsQACgkQupx4Bh3d jJviLRAAq3AwAqkKX9lAZgXKr4jp78nXnR8UPGlhK2zay6AjdK9UAUPvs4qcZzJg dPxsLppRR0Bj2xgqJIZeetU93F8U1aEO2aAiCEybR9uZw72p/5h0EyAW5szBtdnD NQxLwFfull+rRQ/j6SDd0XcLXiW0sVWrWo76AM4ThE0kRkCCGAL3l2zV9VSDz6hQ gbnjyr4TKZf6ncjDMvaH5VAMkggW5fbzoWNr1qgaVNtOMQWTO3If+Yq5fKTYC3ae ue0961defooNHGY+2qehO/ge4eM8Ox4vx30H1+z8jq0FKfYeyFkND8H4TRryPTdw s7IyhM9rtOaCduy/aWMbMO2rT+UglDHaI02jYWpKWG6aQKUTZouErc/qO1K1EnrY /ZSLRC202QOKl6pHTVqtoOlxIjOjPUn5aLpJRl6OZtG+Fw2I7S7ek32iHWS0pxsG sU5/2vViILqqKyGsM1XR1GBN9v2TUAE4qJJz9ecCDjf+osiL01B9ZE4LdOMSyR6I jdbQKjWW+o6bZBIPD8m+8F2VxzHo/sAOFa9MurHBrg0jDTXbg6oY3eQ9TrVWHttA WviECWIiwAzAq/aoaBmD+iHZWJG4fXX6lypV+I6NtgYVS4HsUK7XR8CiuQ8lgOrU RvNpRGW7WKHKsbvaJQHFXwEKIDOsZKjSMktb6AbMBoEBEIKP9Dg= =QJTM -----END PGP SIGNATURE-----
--- End Message ---