Your message dated Mon, 04 Jan 2021 02:34:04 +0000 with message-id <E1kwFh6-000A6q-Dq@fasolo.debian.org> and subject line Bug#978946: fixed in gfxboot 4.5.73-1 has caused the Debian Bug report #978946, regarding gfxboot: reproducible builds: Embeds user id, group id and timestamps in cpio files to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 978946: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978946 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: gfxboot: reproducible builds: Embeds user id and group id in cpio files
- From: Vagrant Cascadian <vagrant@reproducible-builds.org>
- Date: Thu, 31 Dec 2020 15:51:34 -0800
- Message-id: <8735zlttyx.fsf@yucca>
Source: gfxboot Severity: normal Tags: patch User: reproducible-builds@lists.alioth.debian.org Usertags: username X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org Various cpio archives shipped in gfxboot contain the user id and group id of the build user: https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/gfxboot.html etc/bootsplash/example_01/cdrom/bootlogo -rw-r--r--···1·····1111·····1111····42639·2020-12-24·13:17:48.000000·init vs. -rw-r--r--···1·····2222·····2222····42639·2022-01-26·19:45:05.000000·init The attached patch fixes this by passing the owner argument to the cpio calls when creating the archives. Unfortunately, the cpio archives also embed the timestamps of the files included, which will likely vary between builds, so this does not resolve all reproducibility issues with these archives. Thanks for maintaining gfxboot! live well, vagrantFrom 7a670f72d5305aaf692597f1748937d552d290a3 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian <vagrant@reproducible-builds.org> Date: Thu, 31 Dec 2020 08:57:55 +0000 Subject: [PATCH 1/2] Patch calls to create cpio archives to set owner and group. --- bin/unpack_bootlogo | 2 +- gfxboot | 4 ++-- themes/openSUSE/Makefile | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bin/unpack_bootlogo b/bin/unpack_bootlogo index ec83d0b..7672e16 100755 --- a/bin/unpack_bootlogo +++ b/bin/unpack_bootlogo @@ -48,7 +48,7 @@ sub unpack_bootlogo } } - open P, "| cd $tmp; cpio --quiet -o >../bootlogo"; + open P, "| cd $tmp; cpio --quiet --owner=+0:+0 -o >../bootlogo"; print P "$_\n" for grep $_, @files; if($xdir) { print P "$_\n" for @ext } close P; diff --git a/gfxboot b/gfxboot index f7cda36..4015dd2 100755 --- a/gfxboot +++ b/gfxboot @@ -2597,7 +2597,7 @@ sub pack_archive } if(@pack_list) { - open $f, "| ( cd $dir ; cpio --quiet -o ) >$file/$archive"; + open $f, "| ( cd $dir ; cpio --quiet --owner=+0:+0 -o ) >$file/$archive"; print $f join("\n", @pack_list); close $f; } @@ -2606,7 +2606,7 @@ sub pack_archive else { $file = $gfxboot_tmp->file; - $i = system "cd $dir ; find . | cpio --quiet -o >$file 2>/dev/null"; + $i = system "cd $dir ; find . | cpio --quiet --owner=+0:+0 -o >$file 2>/dev/null"; die "$file: failed to create archive\n" if $i; } diff --git a/themes/openSUSE/Makefile b/themes/openSUSE/Makefile index 3a71f9b..1c8de69 100644 --- a/themes/openSUSE/Makefile +++ b/themes/openSUSE/Makefile @@ -56,7 +56,7 @@ ifdef DEFAULT_LANG @echo $(DEFAULT_LANG) >bootlogo.dir/lang endif @sh -c 'cd bootlogo.dir; chmod +t * ; chmod -t init languages' - @sh -c 'cd bootlogo.dir; echo * | sed -e "s/ /\n/g" | cpio --quiet -o >../bootlogo' + @sh -c 'cd bootlogo.dir; echo * | sed -e "s/ /\n/g" | cpio --quiet --owner=+0:+0 -o >../bootlogo' message: src/main.bin src/gfxboot.cfg help-boot/.ready po/.ready fonts/.ready @rm -rf message.dir @@ -71,7 +71,7 @@ ifdef DEFAULT_LANG @echo $(DEFAULT_LANG) >message.dir/lang @echo $(DEFAULT_LANG) >>message.dir/languages endif - @sh -c 'cd message.dir; echo * | sed -e "s/ /\n/g" | cpio --quiet -o >../message' + @sh -c 'cd message.dir; echo * | sed -e "s/ /\n/g" | cpio --quiet --owner=+0:+0 -o >../message' clean: @for i in $(SUBDIRS) ; do [ ! -f $$i/Makefile ] || make -C $$i clean || break ; done -- 2.20.1Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 978946-close@bugs.debian.org
- Subject: Bug#978946: fixed in gfxboot 4.5.73-1
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Mon, 04 Jan 2021 02:34:04 +0000
- Message-id: <E1kwFh6-000A6q-Dq@fasolo.debian.org>
- Reply-to: Vagrant Cascadian <vagrant@reproducible-builds.org>
Source: gfxboot Source-Version: 4.5.73-1 Done: Vagrant Cascadian <vagrant@reproducible-builds.org> We believe that the bug you reported is fixed in the latest version of gfxboot, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 978946@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Vagrant Cascadian <vagrant@reproducible-builds.org> (supplier of updated gfxboot package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 03 Jan 2021 18:04:09 -0800 Source: gfxboot Architecture: source Version: 4.5.73-1 Distribution: unstable Urgency: medium Maintainer: Debian QA Group <packages@qa.debian.org> Changed-By: Vagrant Cascadian <vagrant@reproducible-builds.org> Closes: 783398 978946 979125 Changes: gfxboot (4.5.73-1) unstable; urgency=medium . * QA upload. * Update to new upstream version 4.5.73. (Closes: #783398) * gfxboot: pass --reproducible and --owner to cpio. (Closes: #978946) * gfxboot: avoid including the "." directory in the cpio archive. (Closes: #978946) * themes/example*/Makefile: Set time on files in example themes using Makefile as a reference time. (Closes: #978946) * debian/rules: Pass C.UTF-8 locale when building documentation. (Closes: #979125) * debian/control: Set Rules-Requires-Root to "no". * debian/rules: Create a VERSION file since upstream expects it. * debian/rules: Do not build test themes. * debian/control: Update Vcs headers. * debian/copyright: Use https URLs and drop broken link * debian/control: Update Homepage. * debian/source/options, debian/rules: Drop custom compression. * Update to debhelper-compat 13. * debian/rules: Remove obsolete dh_install override. * debian/rules: Do not pass --parallel to dh as it is now the default. * debian/rules: Add target to update upstream changelog. * changelog.upstream: Add changelog for upstream version 4.5.73. * debian/rules: Copy upstream changelog during build. * gfxboot-themes: Add lintian override for package-contains-documentation-outside-usr-share-doc. * debian/control: Update Standards-Version to 4.5.1. * debian/control: Add ${perl:Depends} to Depends. Checksums-Sha1: c2c5c7d74ab86c4b39d77940c226855844f1f449 1609 gfxboot_4.5.73-1.dsc 13de6fbf9acbfb5551a3a2804cf9e82c9870c3ef 9781997 gfxboot_4.5.73.orig.tar.gz acc01c0cc21f274acbc3994b9c0c4b011874eea5 12716 gfxboot_4.5.73-1.debian.tar.xz Checksums-Sha256: 6f23a28ae06f1decb79112990d8cc7d034134c92fb1f6e41d8533b7e1f626d6e 1609 gfxboot_4.5.73-1.dsc 13e2e3e225d9782b9adf82197176d9ba4545d8b613915f0b2b5628c3d99fc3bd 9781997 gfxboot_4.5.73.orig.tar.gz 15ef0ce75ecef853b2fe21879c0db21fb14b194cabba11d1d677be86879fad62 12716 gfxboot_4.5.73-1.debian.tar.xz Files: e08278a1f5692bf7c7fb13390a02a0bb 1609 misc optional gfxboot_4.5.73-1.dsc 500a2194268bb5c1dbb497b2b8105bd3 9781997 misc optional gfxboot_4.5.73.orig.tar.gz 53a759501f614a230e960d4bda0fc062 12716 misc optional gfxboot_4.5.73-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iJYEARYKAD4WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX/J5tSAcdmFncmFudEBy ZXByb2R1Y2libGUtYnVpbGRzLm9yZwAKCRDcUY/If5cWqitCAP9NJvtds5zTP2ze RRVyRluRrlRJiSukz/f3BxtlbkblnQD/aPOi35EZQReo+mHqDWUdfjXuwAOackm6 U3/BNsr4SQs= =miBm -----END PGP SIGNATURE-----
--- End Message ---