GNU bug report logs -
#57304
Fix mm-common reproduciblility issues
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 57304 in the body.
You can then email your comments to 57304 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#57304; Package
guix-patches.
(Sat, 20 Aug 2022 02:52:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Vagrant Cascadian <vagrant <at> reproducible-builds.org>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sat, 20 Aug 2022 02:52:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
The userid used during the build is embedded in a shipped tarball in the
mm-common package. Some abbreviated diffoscope output from guix
challenge against builds from ci.guix.gnu.org and bordeax.guix.gnu.org:
│ │ │ │ --- /tmp/guix-directory.rKX8CR/share/doc/mm-common/skeletonmm.tar.xz
│ │ │ ├── +++ /tmp/guix-directory.rlW2tI/share/doc/mm-common/skeletonmm.tar.xz
│ │ │ │ ├── skeletonmm.tar
│ │ │ │ │ ├── file list
│ │ │ │ │ │ @@ -1,36 +1,36 @@
│ │ │ │ │ │ +-rw-r--r-- 0 nixbld (996) nixbld (30000) 60 2021-05-20 08:57:07.009229 skeletonmm/.gitignore
│ │ │ │ │ │ +-rw-r--r-- 0 nixbld (996) nixbld (30000) 59 2021-05-20 08:57:07.009229 skeletonmm/AUTHORS
│ │ │ │ │ │ +-rw-r--r-- 0 nixbld (996) nixbld (30000) 26527 2021-05-20 08:57:07.009229 skeletonmm/COPYING
...
│ │ │ │ │ │ --rw-r--r-- 0 nixbld (995) nixbld (30000) 60 2021-05-20 08:57:07.009229 skeletonmm/.gitignore
│ │ │ │ │ │ --rw-r--r-- 0 nixbld (995) nixbld (30000) 59 2021-05-20 08:57:07.009229 skeletonmm/AUTHORS
│ │ │ │ │ │ --rw-r--r-- 0 nixbld (995) nixbld (30000) 26527 2021-05-20 08:57:07.009229 skeletonmm/COPYING
The attached patch fixes this by setting the user, group, uid and gid
consistently.
$ guix refresh --list-dependent mm-common
Building the following 1138 packages would ensure 2236 dependent
packages are rebuilt: ...
Looks like it will have to wait for core-updates at least...
live well,
vagrant
[0001-gnu-mm-common-Build-reproducibly.patch (text/x-diff, inline)]
From 4b359c9bbc918e6dcf1cab1141a9651d6d7bf271 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant <at> reproducible-builds.org>
Date: Fri, 19 Aug 2022 19:32:08 -0700
Subject: [PATCH] gnu: mm-common: Build reproducibly.
* gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patch.
* gnu/packages/gnome.scm (mm-common)[source]: Add patch.
---
gnu/local.mk | 1 +
gnu/packages/gnome.scm | 5 ++-
...consistent-user-and-group-in-tarball.patch | 40 +++++++++++++++++++
3 files changed, 45 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 4e4ad908ce..20d322e27f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1516,6 +1516,7 @@ dist_patch_DATA = \
%D%/packages/patches/mit-krb5-hurd.patch \
%D%/packages/patches/mixxx-link-qtscriptbytearray-qtscript.patch \
%D%/packages/patches/mixxx-system-googletest-benchmark.patch \
+ %D%/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch \
%D%/packages/patches/mpc123-initialize-ao.patch \
%D%/packages/patches/mpg321-CVE-2019-14247.patch \
%D%/packages/patches/mpg321-gcc-10.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index ae46e55c51..790881b9d8 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -1143,7 +1143,10 @@ (define-public mm-common
"mm-common-" version ".tar.xz"))
(sha256
(base32
- "1x8yvjy0yg17qyhmqws8xh2k8dvzrhpwqz7j1cfwzalrb1i9c5g8"))))
+ "1x8yvjy0yg17qyhmqws8xh2k8dvzrhpwqz7j1cfwzalrb1i9c5g8"))
+ (patches
+ (search-patches
+ "mm-common-consistent-user-and-group-in-tarball.patch"))))
(build-system meson-build-system)
(arguments
`(#:phases
diff --git a/gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch b/gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch
new file mode 100644
index 0000000000..f0890aaf57
--- /dev/null
+++ b/gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch
@@ -0,0 +1,40 @@
+From 024c121c844a4ec920133eb3f7e6b6ee8044c0b6 Mon Sep 17 00:00:00 2001
+From: Vagrant Cascadian <vagrant <at> reproducible-builds.org>
+Date: Sat, 12 Dec 2020 04:05:56 +0000
+Original-Patch: https://bugs.debian.org/977177
+Subject: [PATCH] Set uid, username, gid, and group name on files in
+ generated tarball.
+
+The user and group may otherwise vary between builds on different systems.
+
+---
+ util/meson_aux/skeletonmm-tarball.py | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/util/meson_aux/skeletonmm-tarball.py b/util/meson_aux/skeletonmm-tarball.py
+index db9e650..89049b6 100755
+--- a/util/meson_aux/skeletonmm-tarball.py
++++ b/util/meson_aux/skeletonmm-tarball.py
+@@ -39,10 +39,18 @@ elif output_file.endswith('.gz'):
+ else:
+ mode = 'w'
+
++def reproducible(tarinfo):
++ # Set consistent user and group on files in the tar archive
++ tarinfo.uid = 0
++ tarinfo.uname = 'root'
++ tarinfo.gid = 0
++ tarinfo.gname = 'root'
++ return tarinfo
++
+ with tarfile.open(output_file, mode=mode) as tar_file:
+ os.chdir(source_dir) # Input filenames are relative to source_dir.
+ for file in sys.argv[3:]:
+- tar_file.add(file)
++ tar_file.add(file, filter=reproducible)
+ # Errors raise exceptions. If an exception is raised, Meson+ninja will notice
+ # that the command failed, despite exit(0).
+ sys.exit(0)
+--
+2.29.2
+
--
2.35.1
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#57304; Package
guix-patches.
(Tue, 30 Aug 2022 20:35:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 57304 <at> debbugs.gnu.org (full text, mbox):
Hi,
Vagrant Cascadian <vagrant <at> reproducible-builds.org> skribis:
> The userid used during the build is embedded in a shipped tarball in the
> mm-common package. Some abbreviated diffoscope output from guix
> challenge against builds from ci.guix.gnu.org and bordeax.guix.gnu.org:
Good catch.
> The attached patch fixes this by setting the user, group, uid and gid
> consistently.
>
> $ guix refresh --list-dependent mm-common
> Building the following 1138 packages would ensure 2236 dependent
> packages are rebuilt: ...
>
> Looks like it will have to wait for core-updates at least...
Yeah, let’s apply it on ‘core-updates’.
> From 4b359c9bbc918e6dcf1cab1141a9651d6d7bf271 Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant <at> reproducible-builds.org>
> Date: Fri, 19 Aug 2022 19:32:08 -0700
> Subject: [PATCH] gnu: mm-common: Build reproducibly.
>
> * gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patch.
> * gnu/packages/gnome.scm (mm-common)[source]: Add patch.
[...]
> + %D%/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch \
I’d suggest a shorter name to appease ‘tar’, say
‘mm-common-reproducible-tarball.patch’.
Otherwise LGTM, thanks!
Ludo’.
Reply sent
to
Vagrant Cascadian <vagrant <at> reproducible-builds.org>:
You have taken responsibility.
(Wed, 31 Aug 2022 00:47:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Vagrant Cascadian <vagrant <at> reproducible-builds.org>:
bug acknowledged by developer.
(Wed, 31 Aug 2022 00:47:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 57304-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 2022-08-30, Ludovic Courtès wrote:
> Vagrant Cascadian <vagrant <at> reproducible-builds.org> skribis:
>> The userid used during the build is embedded in a shipped tarball in the
>> mm-common package. Some abbreviated diffoscope output from guix
>> challenge against builds from ci.guix.gnu.org and bordeax.guix.gnu.org:
>
> Good catch.
>
>> The attached patch fixes this by setting the user, group, uid and gid
>> consistently.
>>
>> $ guix refresh --list-dependent mm-common
>> Building the following 1138 packages would ensure 2236 dependent
>> packages are rebuilt: ...
>>
>> Looks like it will have to wait for core-updates at least...
>
> Yeah, let’s apply it on ‘core-updates’.
>
>> From 4b359c9bbc918e6dcf1cab1141a9651d6d7bf271 Mon Sep 17 00:00:00 2001
>> From: Vagrant Cascadian <vagrant <at> reproducible-builds.org>
>> Date: Fri, 19 Aug 2022 19:32:08 -0700
>> Subject: [PATCH] gnu: mm-common: Build reproducibly.
>>
>> * gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch:
>> New file.
>> * gnu/local.mk (dist_patch_DATA): Add patch.
>> * gnu/packages/gnome.scm (mm-common)[source]: Add patch.
>
> [...]
>
>> + %D%/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch \
>
> I’d suggest a shorter name to appease ‘tar’, say
> ‘mm-common-reproducible-tarball.patch’.
I do not think tar is too worried about that anymore since the updated
tar format, but it is easier on human eyes, so I'll go along with it. :)
Pushed 5ce7178eb8375716625de14f59e227fdd9b8d9f0 to core-updates!
live well,
vagrant
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 28 Sep 2022 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 210 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.