Bug#977177: mm-common: reproducible builds: Generated tarball includes user, group and file mode

Vagrant Cascadian vagrant at reproducible-builds.org
Wed Nov 29 20:16:01 GMT 2023 

On 2020-12-12, Simon McVittie wrote:
> On Fri, 11 Dec 2020 at 20:45:09 -0800, Vagrant Cascadian wrote:
>> If anyone has a better handle on python's tarfile mode handling code, it
>> might be worth taking a closer look. I'm not entirely sure how the file
>> modes work in this code (they don't appear to use modes similar to those
>> used by umask, chmod or python's file functions)
>
> It looks like they're encoded in the same way as st_mode in a struct
> stat_buf: the low bits are Unix permissions (which start making sense
> if you print them in octal) and the high bits are file type. See the
> documentation for the stat Python module, and in particular stat.S_IMODE
> and stat.S_IFMT.
>
> I think the correct normalization would be something like this (untested!):
>
>     if tarinfo.isdir() or (tarinfo.mode & 0o111) != 0:
>         tarinfo.mode = stat.S_IFMT(tarinfo.mode) | 0o755
>     else:
>         tarinfo.mode = stat.S_IFMT(tarinfo.mode) | 0o644
>
> (that's the same as chmod a+rX,og-w).

Upstream has since fixed the user/uid/group/gid issues, but the umask
issues still remain.

Updated patch attached based on Simon McVittie's suggestion (only adding
"import stat").

With the patch, I managed to produce a bit-for-bit identical
skeletonmm.tar.xz with the patch applied, both in a test environment
where the umask was varied, and with a fairly "normal" umask which was
bit-for-bit identical to the skeletonmm.tar.xz in the mm-common package
in the Debian archive. So it should not cause regressions!

With this patch applied, mm-common should become reproducible on
tests.reproducible-builds.org infrastructure!

Would an upload including this patch be considered soon, or would the
maintainers be open to an NMU in the near future?

Thanks!

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-util-meson_aux-skeletonmm-tarball.py-Use-consistent-.patch
Type: text/x-diff
Size: 1138 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20231129/aa6cefd2/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20231129/aa6cefd2/attachment.sig>

More information about the pkg-gnome-maintainers mailing list