Bug#1020867: uclibc: reproducible builds: tarball includes user, group and file mode of build user

Tue Sep 27 20:16:59 BST 2022

Source: uclibc
Severity: normal
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: umask username
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org

The source tarball /usr/src/uClibc-ng-1.0.35.tar.xz embeds the username,
userid, groupname, groupid and umask of the build user:

  https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/uclibc.html

  drwxr-xr-x···0·pbuilder1··(1111)·pbuilder1··(1111)········0·2020-08-29·02:35:19.000000·uClibc-ng-1.0.35/
  vs.
  drwxrwxr-x···0·pbuilder2··(2222)·pbuilder2··(2222)········0·2020-08-29·02:35:19.000000·uClibc-ng-1.0.35/

The attached patch fixes this by passing arguments to tar in
debian/rules to ensure consistent user, group, uid, gid and file
permissions in the generated tarball.

I have not verified that these changes work correctly in the resulting
packages, only that it builds reproducibly; please be sure to verify
before uploading.

I have not fully tested this patch as my local build environment does
not successfully test umask differences, though I am fairly confident
with this patch applied, uclibc should become reproducible on
tests.reproducible-builds.org!

Thanks for maintaining uclibc!

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-debian-rules-Set-sort-order-user-id-group-id-and-fil.patch
Type: text/x-diff
Size: 962 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20220927/cf23d770/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20220927/cf23d770/attachment.sig>