Source: apg
Severity: wishlist
Tags: patch, upstream
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
User: reproducible-bui...@lists.alioth.debian.org
Usertags: username
Control: block -1 by 1102758
Dear Maintainer,
This bugreport is a companion to previous bugreports #870890 and #1079041, and
(in my opinion) should be blocked until recent bugreport #1102758 is resolved.
Recent rebuilds[1][2] of src:apg have uncovered the possibility for the tarfile
metadata of the php.tar.gz file in the resulting binary package to vary based
on the build environment.
Recommended guidance[3] from the Reproducible Builds project documentation is
to fix the UID and GID in tarball archives to zero, and to use solely numeric
owner/group identifiers (omitting string-based usernames/groupnames).
Please find attached a patch to apply these recommendations; I have confirmed
that the build succeeds and that solely numeric user/group identifiers are
found in the resulting php.tar.gz file after the patch is applied, where
previously string-based identifiers were emitted. I'll also offer this as a
merge request on Salsa.
Thank you,
James
[1] - https://reproduce.debian.net/amd64/api/v0/builds/250671/diffoscope
[2] - https://reproduce.debian.net/arm64/api/v0/builds/159768/diffoscope
[3] -
https://reproducible-builds.org/docs/archives/#users-groups-and-numeric-ids
--- a/debian/rules
+++ b/debian/rules
@@ -22,6 +22,7 @@
mv $(CURDIR)/debian/apg/usr/bin/apg $(CURDIR)/debian/apg/usr/lib/apg/apg
tar --create --verbose --file - --directory $(CURDIR)/php/apgonline/ \
--clamp-mtime --mtime="@$(SOURCE_DATE_EPOCH)" \
+ --owner=0 --group=0 --numeric-owner \
--mode=u=rwX,go=rX --sort=name . | gzip --no-name > php.tar.gz
install -D --mode=0644 php.tar.gz
$(CURDIR)/debian/apg/usr/share/doc/apg/php.tar.gz
rm php.tar.gz
