[Pkg-cmake-team] Bug#973845: cmake: tar subcommand has no way to disable storing uid/gid in PKZIP format archive

Thorsten Glaser tg at mirbsd.de
Thu Nov 5 22:20:50 GMT 2020 

Package: cmake
Version: 3.18.4-1
Severity: wishlist
Tags: upstream
User: reproducible-builds at lists.alioth.debian.org
Usertags: toolchain, username
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org

The musescore3 source package uses the following construct…

    COMMAND "${CMAKE_COMMAND}" -E tar cf "${PATH_OUT_ABS}" --format=zip -- ${FILES_IN}

… to create PKZIP-format archives at build time. The cmake-
builtin “tar” command has options to clamp(? set?) the mtime,
but not to prevent inclusion of the uid/gid into the archive,
producing the following diffoscope output:

··The·central-directory·extra·field·contains:					··The·central-directory·extra·field·contains:
··-·A·subfield·with·ID·0x5455·(universal·time)·and·13·data·bytes.		··-·A·subfield·with·ID·0x5455·(universal·time)·and·13·data·bytes.
····The·local·extra·field·has·UTC/GMT·modification/access/creation·times.	····The·local·extra·field·has·UTC/GMT·modification/access/creation·times.
··-·A·subfield·with·ID·0x7875·(Unix·UID/GID·(any·size))·and·11·data·bytes:	··-·A·subfield·with·ID·0x7875·(Unix·UID/GID·(any·size))·and·11·data·bytes:
····01·04·57·04·00·00·04·57·04·00·00.						····01·04·ae·08·00·00·04·ae·08·00·00.

Basically, the UID changed from 0x0457 to 0x08AE (AFAICT).

Now “zip” from info-zip has the following option:

     -X   Do not save extra file attributes (Extended Attributes
          on OS/2, uid/gid and file times on Unix).

This functionality would be useful to have here, for reproducible
builds. (We also must be able to detect it, so building with older
cmake versions doesn’t fail.) Then I can ask upstream to include
it. (Changing the build to use info-zip is not an option, as upstream
also builds on commercial OSes; extra dependencies are unwanted.)

bye,
//mirabilos
-- 
Stéphane, I actually don’t block Googlemail, they’re just too utterly
stupid to successfully deliver to me (or anyone else using Greylisting
and not whitelisting their ranges). Same for a few other providers such
as Hotmail. Some spammers (Yahoo) I do block.

More information about the Pkg-cmake-team mailing list