[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#738591: lintian: Add checker for timestamped gzip files

On 12/02/14 11:03, Jérémy Bobbio wrote:
> Tomasz Buchert:
> > The reason I did it is that I wanted to keep "backwards compatibility".
> > Another solution is to drop "gzip-file-is-not-multi-arch-same-safe"
> > altogether, of course.
> 
> The latter is severity “important”. “Multi-Arch: Same” packages for
> different architecture will be uninstallable if they do not contain
> identical data files. That's a serious problem. Reproducibility issues
> do not affect users in the same way.
> 
> It could make sense to emit either “gzip-file-is-not-multi-arch-same-safe” or
> “package-contains-timestamped-gzip” instead of emitting both as they
> should be fixed by the same changes.
> 
> -- 
> Jérémy Bobbio                        .''`.
> jeremy.bobbio@irq7.fr               : :   :         lunar@debian.org
>                                     `. `'`          lunar@torproject.org
>                                       `-

I wasn't aware of this. I updated the patch.

Tomasz

>From b21b1dd328d6efb3b8e9d63e3c56e3ce3e0b2d8e Mon Sep 17 00:00:00 2001
From: Tomasz Buchert <tomasz.buchert@inria.fr>
Date: Tue, 11 Feb 2014 10:11:20 +0100
Subject: [PATCH] new tag: package-contains-timestamped-gzip (+ test)

---
 checks/files.desc                             | 10 ++++++++++
 checks/files.pm                               | 15 ++++++++++-----
 t/tests/files-reproducibility/debian/Makefile |  9 +++++++++
 t/tests/files-reproducibility/desc            |  6 ++++++
 t/tests/files-reproducibility/tags            |  1 +
 5 files changed, 36 insertions(+), 5 deletions(-)
 create mode 100644 t/tests/files-reproducibility/debian/Makefile
 create mode 100644 t/tests/files-reproducibility/desc
 create mode 100644 t/tests/files-reproducibility/tags

diff --git a/checks/files.desc b/checks/files.desc
index 760f86a..f0b9444 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -1448,3 +1448,13 @@ Info: The given file is in PATH but consists of non-ASCII characters.
  .
  Note that Lintian may be unable to display the filename accurately.
  Unprintable characters may have been replaced.
+
+Tag: package-contains-timestamped-gzip
+Severity: wishlist
+Certainty: certain
+Info: The package contains a gzip'ed file that has timestamps.
+ Such files make the packages unreproducible, because their
+ contents depend on the time when the package was built.
+ .
+ Please consider passing the "-n" flag to gzip to avoid this.
+Ref: https://wiki.debian.org/ReproducibleBuilds
diff --git a/checks/files.pm b/checks/files.pm
index 5c5a60d..858d9f4 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1400,23 +1400,28 @@ sub run {
                 my $finfo = $info->file_info($file) || '';
                 if ($finfo !~ m/gzip compressed/) {
                     tag 'gz-file-not-gzip', $file;
-                } elsif ($isma_same && $file !~ m/\Q$arch\E/o) {
+                } else {
                     my $path = $info->unpacked($file);
                     my $buff;
+                    my $mtime;
                     open(my $fd, '<', $path);
                     # We need to read at least 8 bytes
                     if (sysread($fd, $buff, 1024) >= 8) {
                         # Extract the flags and the mtime.
                         #  NN NN  NN NN, NN NN NN NN  - bytes read
                         #  __ __  __ __,    $mtime    - variables
-                        my (undef, $mtime) = unpack('NN', $buff);
-                        if ($mtime){
-                            tag 'gzip-file-is-not-multi-arch-same-safe',$file;
-                        }
+                        (undef, $mtime) = unpack('NN', $buff);
                     } else {
                         fail "reading $file: $!";
                     }
                     close($fd);
+                    if ($mtime != 0) {
+                        if ($isma_same && $file !~ m/\Q$arch\E/o) {
+                            tag 'gzip-file-is-not-multi-arch-same-safe', $file;
+                        } else {
+                            tag 'package-contains-timestamped-gzip', $file;
+                        }
+                    }
                 }
             }
 
diff --git a/t/tests/files-reproducibility/debian/Makefile b/t/tests/files-reproducibility/debian/Makefile
new file mode 100644
index 0000000..c5f6bc7
--- /dev/null
+++ b/t/tests/files-reproducibility/debian/Makefile
@@ -0,0 +1,9 @@
+ROOT=$(DESTDIR)/usr/share/files-reproducibility
+
+default:
+	:
+
+install:
+	mkdir -p $(ROOT)
+	echo "Hello" | gzip - -c > $(ROOT)/gzip-with-timestamp.gz
+	echo "Hello" | gzip - -nc > $(ROOT)/gzip-without-timestamp.gz
diff --git a/t/tests/files-reproducibility/desc b/t/tests/files-reproducibility/desc
new file mode 100644
index 0000000..8cbbae9
--- /dev/null
+++ b/t/tests/files-reproducibility/desc
@@ -0,0 +1,6 @@
+Testname: files-reproducibility
+Sequence: 6000
+Version: 1.0
+Description: Test if package is reproducible
+Test-For:
+ package-contains-timestamped-gzip
diff --git a/t/tests/files-reproducibility/tags b/t/tests/files-reproducibility/tags
new file mode 100644
index 0000000..150dd0a
--- /dev/null
+++ b/t/tests/files-reproducibility/tags
@@ -0,0 +1 @@
+I: files-reproducibility: package-contains-timestamped-gzip usr/share/files-reproducibility/gzip-with-timestamp.gz
-- 
1.8.5.3
Reply to: