Bug#738591: lintian: Add checker for timestamped gzip files
Hi Niels,
On 11/02/14 19:11, Niels Thykier wrote:
> On 2014-02-11 10:53, Tomasz Buchert wrote:
> [...]
>
> Hi,
>
> Thanks for working on it and producing a patch for it as well. :)
>
> > Currently, it will emit "package-contains-timestamped-gzip"
> > on any file ending with ".gz", being a gzip file and containing
> > a timestamp. It means that currently the tag "gzip-file-is-not-multi-arch-same-safe"
> > will imply "package-contains-timestamped-gzip".
>
> Ok - not sure if anyone has any feeling for or against that. I am a
> /little/ concerned with it creating "too much output" (for new users),
> but other than that I don't care too much.
>
The reason I did it is that I wanted to keep "backwards compatibility".
Another solution is to drop "gzip-file-is-not-multi-arch-same-safe"
altogether, of course.
>
> [...]
>
>
> Otherwise, it looks god at first glance (without having tested it).
>
> ~Niels
>
Thanks for the review! I attach a new patch that (hopefully)
addresses your issues.
Tomasz
>From 5f9f1e9fea7435f3eacbc95b00ebe835c8f1eca9 Mon Sep 17 00:00:00 2001
From: Tomasz Buchert <tomasz.buchert@inria.fr>
Date: Tue, 11 Feb 2014 10:11:20 +0100
Subject: [PATCH] new tag: package-contains-timestamped-gzip (+ test)
---
checks/files.desc | 10 ++++++++++
checks/files.pm | 14 +++++++++-----
t/tests/files-reproducibility/debian/Makefile | 9 +++++++++
t/tests/files-reproducibility/desc | 6 ++++++
t/tests/files-reproducibility/tags | 1 +
5 files changed, 35 insertions(+), 5 deletions(-)
create mode 100644 t/tests/files-reproducibility/debian/Makefile
create mode 100644 t/tests/files-reproducibility/desc
create mode 100644 t/tests/files-reproducibility/tags
diff --git a/checks/files.desc b/checks/files.desc
index 760f86a..f0b9444 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -1448,3 +1448,13 @@ Info: The given file is in PATH but consists of non-ASCII characters.
.
Note that Lintian may be unable to display the filename accurately.
Unprintable characters may have been replaced.
+
+Tag: package-contains-timestamped-gzip
+Severity: wishlist
+Certainty: certain
+Info: The package contains a gzip'ed file that has timestamps.
+ Such files make the packages unreproducible, because their
+ contents depend on the time when the package was built.
+ .
+ Please consider passing the "-n" flag to gzip to avoid this.
+Ref: https://wiki.debian.org/ReproducibleBuilds
diff --git a/checks/files.pm b/checks/files.pm
index 5c5a60d..21a0f0c 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1400,23 +1400,27 @@ sub run {
my $finfo = $info->file_info($file) || '';
if ($finfo !~ m/gzip compressed/) {
tag 'gz-file-not-gzip', $file;
- } elsif ($isma_same && $file !~ m/\Q$arch\E/o) {
+ } else {
my $path = $info->unpacked($file);
my $buff;
+ my $mtime;
open(my $fd, '<', $path);
# We need to read at least 8 bytes
if (sysread($fd, $buff, 1024) >= 8) {
# Extract the flags and the mtime.
# NN NN NN NN, NN NN NN NN - bytes read
# __ __ __ __, $mtime - variables
- my (undef, $mtime) = unpack('NN', $buff);
- if ($mtime){
- tag 'gzip-file-is-not-multi-arch-same-safe',$file;
- }
+ (undef, $mtime) = unpack('NN', $buff);
} else {
fail "reading $file: $!";
}
close($fd);
+ if ($mtime != 0) {
+ if ($isma_same && $file !~ m/\Q$arch\E/o) {
+ tag 'gzip-file-is-not-multi-arch-same-safe', $file;
+ }
+ tag 'package-contains-timestamped-gzip', $file;
+ }
}
}
diff --git a/t/tests/files-reproducibility/debian/Makefile b/t/tests/files-reproducibility/debian/Makefile
new file mode 100644
index 0000000..c5f6bc7
--- /dev/null
+++ b/t/tests/files-reproducibility/debian/Makefile
@@ -0,0 +1,9 @@
+ROOT=$(DESTDIR)/usr/share/files-reproducibility
+
+default:
+ :
+
+install:
+ mkdir -p $(ROOT)
+ echo "Hello" | gzip - -c > $(ROOT)/gzip-with-timestamp.gz
+ echo "Hello" | gzip - -nc > $(ROOT)/gzip-without-timestamp.gz
diff --git a/t/tests/files-reproducibility/desc b/t/tests/files-reproducibility/desc
new file mode 100644
index 0000000..8cbbae9
--- /dev/null
+++ b/t/tests/files-reproducibility/desc
@@ -0,0 +1,6 @@
+Testname: files-reproducibility
+Sequence: 6000
+Version: 1.0
+Description: Test if package is reproducible
+Test-For:
+ package-contains-timestamped-gzip
diff --git a/t/tests/files-reproducibility/tags b/t/tests/files-reproducibility/tags
new file mode 100644
index 0000000..150dd0a
--- /dev/null
+++ b/t/tests/files-reproducibility/tags
@@ -0,0 +1 @@
+I: files-reproducibility: package-contains-timestamped-gzip usr/share/files-reproducibility/gzip-with-timestamp.gz
--
1.8.5.3
Reply to: