Bug#1037427: newlib: reproducible builds: tarball embeds various metadata from build machine

Vagrant Cascadian vagrant at reproducible-builds.org
Mon Jun 12 17:19:02 BST 2023


Source: newlib
Version: 3.3.0-1.3
Severity: normal
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: username timestamps
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org

The source tarball /usr/src/newlib/newlib-3.3.0.tar.xz embeds
timestamps, file mode, username, userid, groupname and groupid of the
build user:

  https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/newlib.html

The attached patch fixes this by passing arguments to tar in
debian/rules to ensure consistent sort order, timestamps, user, group,
uid and gid and file mode in the generated tarball.


According to my local tests, with this patch applied newlib should
become reproducible on tests.reproducible-builds.org once it migrates to
trixie/testing! Unfortunately, other issues (build paths) tested on
unstable and experimental are still unresolved.


Thanks for maintaining newlib!

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-debian-rules-Pass-arguments-to-tar-for-consistent-so.patch
Type: text/x-diff
Size: 1025 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20230612/367afd23/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20230612/367afd23/attachment.sig>


More information about the Reproducible-bugs mailing list