Bug#978946: marked as done (gfxboot: reproducible builds: Embeds user id, group id and timestamps in cpio files)

To: Vagrant Cascadian <vagrant@reproducible-builds.org>
Subject: Bug#978946: marked as done (gfxboot: reproducible builds: Embeds user id, group id and timestamps in cpio files)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 04 Jan 2021 18:36:10 +0000
Message-id: <[🔎] handler.978946.D978946.160978520611465.ackdone@bugs.debian.org>
Reply-to: 978946@bugs.debian.org
References: <E1kwUfU-000090-OS@fasolo.debian.org> <8735zlttyx.fsf@yucca>

Your message dated Mon, 04 Jan 2021 18:33:24 +0000
with message-id <E1kwUfU-000090-OS@fasolo.debian.org>
and subject line Bug#978946: fixed in gfxboot 4.5.73-2
has caused the Debian Bug report #978946,
regarding gfxboot: reproducible builds: Embeds user id, group id and timestamps in cpio files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
978946: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978946
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: gfxboot: reproducible builds: Embeds user id and group id in cpio files
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Thu, 31 Dec 2020 15:51:34 -0800
Message-id: <8735zlttyx.fsf@yucca>

Source: gfxboot
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: username
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Various cpio archives shipped in gfxboot contain the user id and group
id of the build user:

  https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/gfxboot.html

  etc/bootsplash/example_01/cdrom/bootlogo

  -rw-r--r--···1·····1111·····1111····42639·2020-12-24·13:17:48.000000·init
  vs.
  -rw-r--r--···1·····2222·····2222····42639·2022-01-26·19:45:05.000000·init


The attached patch fixes this by passing the owner argument to the cpio
calls when creating the archives.


Unfortunately, the cpio archives also embed the timestamps of the files
included, which will likely vary between builds, so this does not
resolve all reproducibility issues with these archives.


Thanks for maintaining gfxboot!


live well,
  vagrant

From 7a670f72d5305aaf692597f1748937d552d290a3 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Thu, 31 Dec 2020 08:57:55 +0000
Subject: [PATCH 1/2] Patch calls to create cpio archives to set owner and
 group.

---
 bin/unpack_bootlogo      | 2 +-
 gfxboot                  | 4 ++--
 themes/openSUSE/Makefile | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/bin/unpack_bootlogo b/bin/unpack_bootlogo
index ec83d0b..7672e16 100755
--- a/bin/unpack_bootlogo
+++ b/bin/unpack_bootlogo
@@ -48,7 +48,7 @@ sub unpack_bootlogo
     }
   }
 
-  open P, "| cd $tmp; cpio --quiet -o >../bootlogo";
+  open P, "| cd $tmp; cpio --quiet --owner=+0:+0 -o >../bootlogo";
   print P "$_\n" for grep $_, @files;
   if($xdir) { print P "$_\n" for @ext }
   close P;
diff --git a/gfxboot b/gfxboot
index f7cda36..4015dd2 100755
--- a/gfxboot
+++ b/gfxboot
@@ -2597,7 +2597,7 @@ sub pack_archive
     }
 
     if(@pack_list) {
-      open $f, "| ( cd $dir ; cpio --quiet -o ) >$file/$archive";
+      open $f, "| ( cd $dir ; cpio --quiet --owner=+0:+0 -o ) >$file/$archive";
       print $f join("\n", @pack_list);
       close $f;
     }
@@ -2606,7 +2606,7 @@ sub pack_archive
   else {
     $file = $gfxboot_tmp->file;
 
-    $i = system "cd $dir ; find . | cpio --quiet -o >$file 2>/dev/null";
+    $i = system "cd $dir ; find . | cpio --quiet --owner=+0:+0 -o >$file 2>/dev/null";
     die "$file: failed to create archive\n" if $i;
   }
 
diff --git a/themes/openSUSE/Makefile b/themes/openSUSE/Makefile
index 3a71f9b..1c8de69 100644
--- a/themes/openSUSE/Makefile
+++ b/themes/openSUSE/Makefile
@@ -56,7 +56,7 @@ ifdef DEFAULT_LANG
 	@echo $(DEFAULT_LANG) >bootlogo.dir/lang
 endif
 	@sh -c 'cd bootlogo.dir; chmod +t * ; chmod -t init languages'
-	@sh -c 'cd bootlogo.dir; echo * | sed -e "s/ /\n/g" | cpio --quiet -o >../bootlogo'
+	@sh -c 'cd bootlogo.dir; echo * | sed -e "s/ /\n/g" | cpio --quiet --owner=+0:+0 -o >../bootlogo'
 
 message: src/main.bin src/gfxboot.cfg help-boot/.ready po/.ready fonts/.ready
 	@rm -rf message.dir
@@ -71,7 +71,7 @@ ifdef DEFAULT_LANG
 	@echo $(DEFAULT_LANG) >message.dir/lang
 	@echo $(DEFAULT_LANG) >>message.dir/languages
 endif
-	@sh -c 'cd message.dir; echo * | sed -e "s/ /\n/g" | cpio --quiet -o >../message'
+	@sh -c 'cd message.dir; echo * | sed -e "s/ /\n/g" | cpio --quiet --owner=+0:+0 -o >../message'
 
 clean:
 	@for i in $(SUBDIRS) ; do [ ! -f $$i/Makefile ] ||  make -C $$i clean || break ; done
-- 
2.20.1

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 978946-close@bugs.debian.org
Subject: Bug#978946: fixed in gfxboot 4.5.73-2
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 04 Jan 2021 18:33:24 +0000
Message-id: <E1kwUfU-000090-OS@fasolo.debian.org>
Reply-to: Vagrant Cascadian <vagrant@reproducible-builds.org>

Source: gfxboot
Source-Version: 4.5.73-2
Done: Vagrant Cascadian <vagrant@reproducible-builds.org>

We believe that the bug you reported is fixed in the latest version of
gfxboot, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 978946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@reproducible-builds.org> (supplier of updated gfxboot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 04 Jan 2021 10:14:56 -0800
Source: gfxboot
Architecture: source
Version: 4.5.73-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Vagrant Cascadian <vagrant@reproducible-builds.org>
Closes: 978946
Changes:
 gfxboot (4.5.73-2) unstable; urgency=medium
 .
   * QA upload.
   * themes/example*/Makefile: Use the .bc files as a reference date.
     (Closes: #978946)
Checksums-Sha1:
 68108cf087dd1b5e07a775119254ac2d93f77ac7 1609 gfxboot_4.5.73-2.dsc
 1ed22c33845f539ae43e0d31ec715a8064ee8202 12976 gfxboot_4.5.73-2.debian.tar.xz
Checksums-Sha256:
 69c201d5c09dd4bce41ccdbb1696847a082afada71a65964947d32cc7359c6f3 1609 gfxboot_4.5.73-2.dsc
 facef39eb05480eae0513473cf7cc83d3e84dab376c438819e7ebb6cff8cefbc 12976 gfxboot_4.5.73-2.debian.tar.xz
Files:
 b166d790bd9caee69638ea0bc5c7fbb4 1609 misc optional gfxboot_4.5.73-2.dsc
 93eadf6e03dd78d0e1332425d6b09147 12976 misc optional gfxboot_4.5.73-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iJYEARYKAD4WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX/Nc7yAcdmFncmFudEBy
ZXByb2R1Y2libGUtYnVpbGRzLm9yZwAKCRDcUY/If5cWqhqaAQDVky269lLwwZFS
BFjK6LdRLZyVNrYKvF65MWssg1cwHQD/c0nRF7hCnE/8EgPv15nXX74dcGY1qQqN
AAGHtUCAAwc=
=GnPI
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: hotswap_0.4.0-15.1_source.changes ACCEPTED into unstable
Next by Date: Processing of gfxboot_4.5.73-2_source.changes
Previous by thread: Bug#978946: marked as done (gfxboot: reproducible builds: Embeds user id, group id and timestamps in cpio files)
Next by thread: Processing of gfxboot_4.5.73-1_source.changes
Index(es):
- Date
- Thread