Bug#738591: lintian: Add checker for timestamped gzip files

Tomasz Buchert Wed, 12 Feb 2014 01:25:23 -0800

Hi Niels,

On 11/02/14 19:11, Niels Thykier wrote:
> On 2014-02-11 10:53, Tomasz Buchert wrote:
> [...]
> 
> Hi,
> 
> Thanks for working on it and producing a patch for it as well. :)
> 
> > Currently, it will emit "package-contains-timestamped-gzip"
> > on any file ending with ".gz", being a gzip file and containing
> > a timestamp. It means that currently the tag 
> > "gzip-file-is-not-multi-arch-same-safe" 
> > will imply "package-contains-timestamped-gzip".
> 
> Ok - not sure if anyone has any feeling for or against that. I am a
> /little/ concerned with it creating "too much output" (for new users),
> but other than that I don't care too much.
>


The reason I did it is that I wanted to keep "backwards compatibility".
Another solution is to drop "gzip-file-is-not-multi-arch-same-safe"
altogether, of course.

> 
> [...]
> 
> 
> Otherwise, it looks god at first glance (without having tested it).
> 
> ~Niels
> 

Thanks for the review! I attach a new patch that (hopefully)
addresses your issues.

Tomasz

>From 5f9f1e9fea7435f3eacbc95b00ebe835c8f1eca9 Mon Sep 17 00:00:00 2001
From: Tomasz Buchert <tomasz.buch...@inria.fr>
Date: Tue, 11 Feb 2014 10:11:20 +0100
Subject: [PATCH] new tag: package-contains-timestamped-gzip (+ test)

---
 checks/files.desc                             | 10 ++++++++++
 checks/files.pm                               | 14 +++++++++-----
 t/tests/files-reproducibility/debian/Makefile |  9 +++++++++
 t/tests/files-reproducibility/desc            |  6 ++++++
 t/tests/files-reproducibility/tags            |  1 +
 5 files changed, 35 insertions(+), 5 deletions(-)
 create mode 100644 t/tests/files-reproducibility/debian/Makefile
 create mode 100644 t/tests/files-reproducibility/desc
 create mode 100644 t/tests/files-reproducibility/tags

diff --git a/checks/files.desc b/checks/files.desc
index 760f86a..f0b9444 100644
--- a/checks/files.desc
+++ b/checks/files.desc
@@ -1448,3 +1448,13 @@ Info: The given file is in PATH but consists of non-ASCII characters.
  .
  Note that Lintian may be unable to display the filename accurately.
  Unprintable characters may have been replaced.
+
+Tag: package-contains-timestamped-gzip
+Severity: wishlist
+Certainty: certain
+Info: The package contains a gzip'ed file that has timestamps.
+ Such files make the packages unreproducible, because their
+ contents depend on the time when the package was built.
+ .
+ Please consider passing the "-n" flag to gzip to avoid this.
+Ref: https://wiki.debian.org/ReproducibleBuilds
diff --git a/checks/files.pm b/checks/files.pm
index 5c5a60d..21a0f0c 100644
--- a/checks/files.pm
+++ b/checks/files.pm
@@ -1400,23 +1400,27 @@ sub run {
                 my $finfo = $info->file_info($file) || '';
                 if ($finfo !~ m/gzip compressed/) {
                     tag 'gz-file-not-gzip', $file;
-                } elsif ($isma_same && $file !~ m/\Q$arch\E/o) {
+                } else {
                     my $path = $info->unpacked($file);
                     my $buff;
+                    my $mtime;
                     open(my $fd, '<', $path);
                     # We need to read at least 8 bytes
                     if (sysread($fd, $buff, 1024) >= 8) {
                         # Extract the flags and the mtime.
                         #  NN NN  NN NN, NN NN NN NN  - bytes read
                         #  __ __  __ __,    $mtime    - variables
-                        my (undef, $mtime) = unpack('NN', $buff);
-                        if ($mtime){
-                            tag 'gzip-file-is-not-multi-arch-same-safe',$file;
-                        }
+                        (undef, $mtime) = unpack('NN', $buff);
                     } else {
                         fail "reading $file: $!";
                     }
                     close($fd);
+                    if ($mtime != 0) {
+                        if ($isma_same && $file !~ m/\Q$arch\E/o) {
+                            tag 'gzip-file-is-not-multi-arch-same-safe', $file;
+                        }
+                        tag 'package-contains-timestamped-gzip', $file;
+                    }
                 }
             }
 
diff --git a/t/tests/files-reproducibility/debian/Makefile b/t/tests/files-reproducibility/debian/Makefile
new file mode 100644
index 0000000..c5f6bc7
--- /dev/null
+++ b/t/tests/files-reproducibility/debian/Makefile
@@ -0,0 +1,9 @@
+ROOT=$(DESTDIR)/usr/share/files-reproducibility
+
+default:
+	:
+
+install:
+	mkdir -p $(ROOT)
+	echo "Hello" | gzip - -c > $(ROOT)/gzip-with-timestamp.gz
+	echo "Hello" | gzip - -nc > $(ROOT)/gzip-without-timestamp.gz
diff --git a/t/tests/files-reproducibility/desc b/t/tests/files-reproducibility/desc
new file mode 100644
index 0000000..8cbbae9
--- /dev/null
+++ b/t/tests/files-reproducibility/desc
@@ -0,0 +1,6 @@
+Testname: files-reproducibility
+Sequence: 6000
+Version: 1.0
+Description: Test if package is reproducible
+Test-For:
+ package-contains-timestamped-gzip
diff --git a/t/tests/files-reproducibility/tags b/t/tests/files-reproducibility/tags
new file mode 100644
index 0000000..150dd0a
--- /dev/null
+++ b/t/tests/files-reproducibility/tags
@@ -0,0 +1 @@
+I: files-reproducibility: package-contains-timestamped-gzip usr/share/files-reproducibility/gzip-with-timestamp.gz
-- 
1.8.5.3

Bug#738591: lintian: Add checker for timestamped gzip files

Reply via email to