Source: vboot-utils Severity: normal Version: 0~R81-12871.B-1 Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps username X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
The "/usr/bin/futility" embeds differing information in the binary, depending on when and what user built the package: unknown 2020-09-17 07:53:52 pbuilder1 vs. unknown 2021-10-21 16:19:17 pbuilder2 This obviously breaks reproducible builds: https://reproducible-builds.org The attached patch removes the user and time information from the getversion.sh script used during build. Thanks for maintaining vboot-utils! live well, vagrant
From 163953ac2a68b76c7bc62449db3316f0db53ec94 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian <vagr...@reproducible-builds.org> Date: Tue, 29 Sep 2020 21:31:51 +0000 Subject: [PATCH 1/2] Add patch to avoid embedding the username and time of the build. This should be unnecessary in the context of building the packages in Debian, and breaks reproducible builds: https://reproducible-builds.org --- .../do-not-embed-user-and-time-in-version | 24 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 25 insertions(+) create mode 100644 debian/patches/do-not-embed-user-and-time-in-version diff --git a/debian/patches/do-not-embed-user-and-time-in-version b/debian/patches/do-not-embed-user-and-time-in-version new file mode 100644 index 0000000..6c63f89 --- /dev/null +++ b/debian/patches/do-not-embed-user-and-time-in-version @@ -0,0 +1,24 @@ +From: Vagrant Cascadian <vagr...@reproducible-builds.org> +Subject: Avoid embedding user and time in version from getversion.sh +Date: 2020-09-29 + +The getversion.sh script embeds the build time and user who built the +binary, which breaks reproducible builds: + + https://reproducible-builds.org/ + +Without this patch, "/usr/bin/futility" embeds differing information +in the binary: + + unknown 2020-09-17 07:53:52 pbuilder1 vs. unknown 2021-10-21 16:19:17 pbuilder2 + +Index: vboot-utils/scripts/getversion.sh +=================================================================== +--- vboot-utils.orig/scripts/getversion.sh ++++ vboot-utils/scripts/getversion.sh +@@ -30,4 +30,4 @@ fi + + date=$(date '+%F %T') + +-echo "const char futility_version[] = \"${ver} ${date} ${USER}\";"; ++echo "const char futility_version[] = \"${ver}\";"; diff --git a/debian/patches/series b/debian/patches/series index bb9d533..694943a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -6,3 +6,4 @@ 0012-fix-spelling-errors.patch dont-build-with-werror.patch add-missing-flags-pie.patch +do-not-embed-user-and-time-in-version -- 2.28.0
signature.asc
Description: PGP signature
