[Reproducible-builds] symlink permission bits on non-Linux

Jérémy Bobbio lunar at debian.org
Tue Feb 16 07:42:07 UTC 2016 

Steven Chamberlain:
> On linux, a symlink can only have permissions 0777 (lrwxrwxrwx)
> 
> But on at least kfreebsd (maybe hurd?) there is no such limitation, and
> permissions are set like any regular file.  That also means the umask is
> applied...  and tar and dpkg-deb preserve this.
> 
> This proves to be an issue for:
>   * reproducible builds on kfreebsd, affected by user's umask
>   * reproducing arch:all packages between linux<->kfreebsd
>   * reproducing linux packages by cross-building from kfreebsd
> 
> I think we should normalise symlinks' permissions to 0777, except GNU
> chmod can't do that!  (chmod follows the symlink, and has no -h flag).
> 
> Adding a -h (no dereference) option to chmod would allow dh_fixperms to
> use that.  But (as pointed out in #759886) adding things there does not
> help packages not using debhelper, or other uses of tar.
> 
> Would this be best added as a feature to tar, that dpkg-deb can use?
> Probably a new flag, that would apply --mode a=rwx only to symlinks.
> 
> Or are there other ideas how to fix this?

One idea floating is to get dpkg-deb working with an explicit manifest
to create the package content. I believe that would solve the issue. But
that's at least mid-term because dpkg needs to get its own Tar
implementation (or maybe depend on libarchive) and, likely harder, a
format needs to be defined for the manifest.

In the meantime, shouldn't GNU chmod get a `-h` option in any cases if
it's going to be used on kFreeBSD?

Then it's pretty easy to start with `dh_fixperms` and see how much it
helps.

Guillem said he was ok with dpkg depending on recent versions of
Tar [1], but changes would need to be accepted by Tar upstream.

What's the situation regarding symlinks on HURD?

 [1]: https://bugs.debian.org/759886#73

-- 
Lunar                                .''`. 
lunar at debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20160216/580fd7ef/attachment.sig>

More information about the Reproducible-builds mailing list