Bug#1009342: xfce4-panel-profiles: reproducible builds: demo tarballs include user, group and file mode of build user

Tue Apr 12 02:41:31 BST 2022

Source: xfce4-panel-profiles
Severity: normal
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: umask username
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org

Several of the tarballs shipped in
/usr/share/xfce4-panel-profiles/layouts/ embed the username, userid,
groupname, groupid and umask of the build user:

  https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/xfce4-panel-profiles.html

  /usr/share/xfce4-panel-profiles/layouts/Cupertino.tar.bz2

  -rw-r--r--···0·pbuilder1··(1111)·pbuilder1··(1111)·····4925·2021-02-21·22:44:32.000000·config.txt
  vs.
  -rw-rw-r--···0·pbuilder2··(2222)·pbuilder2··(2222)·····4925·2021-02-21·22:44:32.000000·config.txt

The attached patch fixes this by passing arguments to tar in
Makefile.in.in to ensure consistent user, group, uid, gid and file
permissions in the generated tarballs.

I have not verified that these changes work correctly in the resulting
packages, only that it builds reproducibly; please be sure to verify
before uploading.

With this patch applied, xfce4-panel-profiles should become reproducible
on tests.reproducible-builds.org!

Thanks for maintaining xfce4-panel-profiles!

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Makefile.in.in-Pass-arguments-to-tar-to-make-build-r.patch
Type: text/x-diff
Size: 809 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20220411/84a192f8/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20220411/84a192f8/attachment.sig>