Fix mm-common reproduciblility issues

  • Done
  • quality assurance status badge
Details
2 participants
  • Ludovic Courtès
  • Vagrant Cascadian
Owner
unassigned
Submitted by
Vagrant Cascadian
Severity
normal
V
V
Vagrant Cascadian wrote on 20 Aug 2022 04:51
(address . guix-patches@gnu.org)
874jy7k4p2.fsf@contorta
The userid used during the build is embedded in a shipped tarball in the
mm-common package. Some abbreviated diffoscope output from guix
challenge against builds from ci.guix.gnu.org and bordeax.guix.gnu.org:

? ? ? ? --- /tmp/guix-directory.rKX8CR/share/doc/mm-common/skeletonmm.tar.xz
? ? ? ??? +++ /tmp/guix-directory.rlW2tI/share/doc/mm-common/skeletonmm.tar.xz
? ? ? ? ??? skeletonmm.tar
? ? ? ? ? ??? file list
? ? ? ? ? ? @@ -1,36 +1,36 @@
? ? ? ? ? ? +-rw-r--r-- 0 nixbld (996) nixbld (30000) 60 2021-05-20 08:57:07.009229 skeletonmm/.gitignore
? ? ? ? ? ? +-rw-r--r-- 0 nixbld (996) nixbld (30000) 59 2021-05-20 08:57:07.009229 skeletonmm/AUTHORS
? ? ? ? ? ? +-rw-r--r-- 0 nixbld (996) nixbld (30000) 26527 2021-05-20 08:57:07.009229 skeletonmm/COPYING
...
? ? ? ? ? ? --rw-r--r-- 0 nixbld (995) nixbld (30000) 60 2021-05-20 08:57:07.009229 skeletonmm/.gitignore
? ? ? ? ? ? --rw-r--r-- 0 nixbld (995) nixbld (30000) 59 2021-05-20 08:57:07.009229 skeletonmm/AUTHORS
? ? ? ? ? ? --rw-r--r-- 0 nixbld (995) nixbld (30000) 26527 2021-05-20 08:57:07.009229 skeletonmm/COPYING


The attached patch fixes this by setting the user, group, uid and gid
consistently.

$ guix refresh --list-dependent mm-common
Building the following 1138 packages would ensure 2236 dependent
packages are rebuilt: ...

Looks like it will have to wait for core-updates at least...

live well,
vagrant
From 4b359c9bbc918e6dcf1cab1141a9651d6d7bf271 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Fri, 19 Aug 2022 19:32:08 -0700
Subject: [PATCH] gnu: mm-common: Build reproducibly.

* gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patch.
* gnu/packages/gnome.scm (mm-common)[source]: Add patch.
---
gnu/local.mk | 1 +
gnu/packages/gnome.scm | 5 ++-
...consistent-user-and-group-in-tarball.patch | 40 +++++++++++++++++++
3 files changed, 45 insertions(+), 1 deletion(-)
create mode 100644 gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch

Toggle diff (76 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 4e4ad908ce..20d322e27f 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1516,6 +1516,7 @@ dist_patch_DATA = \
%D%/packages/patches/mit-krb5-hurd.patch \
%D%/packages/patches/mixxx-link-qtscriptbytearray-qtscript.patch \
%D%/packages/patches/mixxx-system-googletest-benchmark.patch \
+ %D%/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch \
%D%/packages/patches/mpc123-initialize-ao.patch \
%D%/packages/patches/mpg321-CVE-2019-14247.patch \
%D%/packages/patches/mpg321-gcc-10.patch \
diff --git a/gnu/packages/gnome.scm b/gnu/packages/gnome.scm
index ae46e55c51..790881b9d8 100644
--- a/gnu/packages/gnome.scm
+++ b/gnu/packages/gnome.scm
@@ -1143,7 +1143,10 @@ (define-public mm-common
"mm-common-" version ".tar.xz"))
(sha256
(base32
- "1x8yvjy0yg17qyhmqws8xh2k8dvzrhpwqz7j1cfwzalrb1i9c5g8"))))
+ "1x8yvjy0yg17qyhmqws8xh2k8dvzrhpwqz7j1cfwzalrb1i9c5g8"))
+ (patches
+ (search-patches
+ "mm-common-consistent-user-and-group-in-tarball.patch"))))
(build-system meson-build-system)
(arguments
`(#:phases
diff --git a/gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch b/gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch
new file mode 100644
index 0000000000..f0890aaf57
--- /dev/null
+++ b/gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch
@@ -0,0 +1,40 @@
+From 024c121c844a4ec920133eb3f7e6b6ee8044c0b6 Mon Sep 17 00:00:00 2001
+From: Vagrant Cascadian <vagrant@reproducible-builds.org>
+Date: Sat, 12 Dec 2020 04:05:56 +0000
+Original-Patch: https://bugs.debian.org/977177
+Subject: [PATCH] Set uid, username, gid, and group name on files in
+ generated tarball.
+
+The user and group may otherwise vary between builds on different systems.
+
+---
+ util/meson_aux/skeletonmm-tarball.py | 16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/util/meson_aux/skeletonmm-tarball.py b/util/meson_aux/skeletonmm-tarball.py
+index db9e650..89049b6 100755
+--- a/util/meson_aux/skeletonmm-tarball.py
++++ b/util/meson_aux/skeletonmm-tarball.py
+@@ -39,10 +39,18 @@ elif output_file.endswith('.gz'):
+ else:
+ mode = 'w'
+
++def reproducible(tarinfo):
++ # Set consistent user and group on files in the tar archive
++ tarinfo.uid = 0
++ tarinfo.uname = 'root'
++ tarinfo.gid = 0
++ tarinfo.gname = 'root'
++ return tarinfo
++
+ with tarfile.open(output_file, mode=mode) as tar_file:
+ os.chdir(source_dir) # Input filenames are relative to source_dir.
+ for file in sys.argv[3:]:
+- tar_file.add(file)
++ tar_file.add(file, filter=reproducible)
+ # Errors raise exceptions. If an exception is raised, Meson+ninja will notice
+ # that the command failed, despite exit(0).
+ sys.exit(0)
+--
+2.29.2
+
--
2.35.1
-----BEGIN PGP SIGNATURE-----

iHQEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYwBMOgAKCRDcUY/If5cW
qj+SAP9EL+FWqTYx+VH5wPj6XJLXeTGbfqU0is59CvDhnrEvHwD2P+oD/A4zPKW4
nFQLtY5HXmgtsOtGnjehjVmxvqwVCQ==
=kiIJ
-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 30 Aug 2022 22:34
(name . Vagrant Cascadian)(address . vagrant@reproducible-builds.org)(address . 57304@debbugs.gnu.org)
87czcheahy.fsf@gnu.org
Hi,

Vagrant Cascadian <vagrant@reproducible-builds.org> skribis:

Toggle quote (4 lines)
> The userid used during the build is embedded in a shipped tarball in the
> mm-common package. Some abbreviated diffoscope output from guix
> challenge against builds from ci.guix.gnu.org and bordeax.guix.gnu.org:

Good catch.

Toggle quote (9 lines)
> The attached patch fixes this by setting the user, group, uid and gid
> consistently.
>
> $ guix refresh --list-dependent mm-common
> Building the following 1138 packages would ensure 2236 dependent
> packages are rebuilt: ...
>
> Looks like it will have to wait for core-updates at least...

Yeah, let’s apply it on ‘core-updates’.

Toggle quote (10 lines)
> From 4b359c9bbc918e6dcf1cab1141a9651d6d7bf271 Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
> Date: Fri, 19 Aug 2022 19:32:08 -0700
> Subject: [PATCH] gnu: mm-common: Build reproducibly.
>
> * gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patch.
> * gnu/packages/gnome.scm (mm-common)[source]: Add patch.

[...]

Toggle quote (2 lines)
> + %D%/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch \

I’d suggest a shorter name to appease ‘tar’, say
‘mm-common-reproducible-tarball.patch’.

Otherwise LGTM, thanks!

Ludo’.
V
V
Vagrant Cascadian wrote on 31 Aug 2022 02:46
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 57304-done@debbugs.gnu.org)
87h71tfdfa.fsf@contorta
On 2022-08-30, Ludovic Courtès wrote:
Toggle quote (35 lines)
> Vagrant Cascadian <vagrant@reproducible-builds.org> skribis:
>> The userid used during the build is embedded in a shipped tarball in the
>> mm-common package. Some abbreviated diffoscope output from guix
>> challenge against builds from ci.guix.gnu.org and bordeax.guix.gnu.org:
>
> Good catch.
>
>> The attached patch fixes this by setting the user, group, uid and gid
>> consistently.
>>
>> $ guix refresh --list-dependent mm-common
>> Building the following 1138 packages would ensure 2236 dependent
>> packages are rebuilt: ...
>>
>> Looks like it will have to wait for core-updates at least...
>
> Yeah, let’s apply it on ‘core-updates’.
>
>> From 4b359c9bbc918e6dcf1cab1141a9651d6d7bf271 Mon Sep 17 00:00:00 2001
>> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
>> Date: Fri, 19 Aug 2022 19:32:08 -0700
>> Subject: [PATCH] gnu: mm-common: Build reproducibly.
>>
>> * gnu/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch:
>> New file.
>> * gnu/local.mk (dist_patch_DATA): Add patch.
>> * gnu/packages/gnome.scm (mm-common)[source]: Add patch.
>
> [...]
>
>> + %D%/packages/patches/mm-common-consistent-user-and-group-in-tarball.patch \
>
> I’d suggest a shorter name to appease ‘tar’, say
> ‘mm-common-reproducible-tarball.patch’.

I do not think tar is too worried about that anymore since the updated
tar format, but it is easier on human eyes, so I'll go along with it. :)

Pushed 5ce7178eb8375716625de14f59e227fdd9b8d9f0 to core-updates!


live well,
vagrant
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCYw6vSgAKCRDcUY/If5cW
qolJAQC/ZkONpQIVrQcmd26nkbkfiOGTJhFGPr367oXPugQ3IAEAzyMeqcBVVGv/
xu4v164mR3ImjqBK2WgCpx40iAyirQM=
=qk/E
-----END PGP SIGNATURE-----

Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 57304@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 57304
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch