Bug#819883: debootstrap: please make the build reproducible

Mon, 04 Apr 2016 14:16:59 -0700 

Hi,

Reiner Herrmann <rei...@reiner-h.de> (2016-04-03):
> Source: debootstrap
> Version: 1.0.80
> Severity: wishlist
> Tags: patch
> User: reproducible-bui...@lists.alioth.debian.org
> Usertags: fileordering
> X-Debbugs-Cc: reproducible-bui...@lists.alioth.debian.org
> 
> Hi!
> 
> While working on the "reproducible builds" effort [1], we have noticed
> that debootstrap could not be built reproducibly.
> The devices.tar.gz tarball contains devices in unsorted (readdir) order.
> 
> The attached patch fixes this by telling tar to sort the archive
> members.
> 
> Regards,
>  Reiner
> 
> [1]: https://wiki.debian.org/ReproducibleBuilds

> diff --git a/Makefile b/Makefile
> index 1020cbc..07682bc 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -36,7 +36,7 @@ devices.tar.gz:
>       chown 0:0 dev
>       chmod 755 dev
>       (cd dev && $(MAKEDEV) std ptmx fd consoleonly)
> -     tar --mtime="$(DATE)" -cf - dev | gzip -9n >devices.tar.gz
> +     tar --sort=name --mtime="$(DATE)" -cf - dev | gzip -9n >devices.tar.gz
>       @if [ "$$(tar tvf devices.tar.gz | wc -l)" -lt 2 ]; then \
>               echo " ** devices.tar.gz is empty!" >&2; \
>               exit 1; \
> diff --git a/debian/control b/debian/control
> index 46e2b93..40cfbcd 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -3,7 +3,7 @@ Section: admin
>  Priority: extra
>  Maintainer: Debian Install System Team <debian-boot@lists.debian.org>
>  Uploaders: Junichi Uekawa <dan...@debian.org>, Colin Watson 
> <cjwat...@debian.org>, Christian Perrier <bubu...@debian.org>, Steve McIntyre 
> <93...@debian.org>
> -Build-Depends: debhelper (>= 9), makedev (>= 2.3.1-69) [linux-any]
> +Build-Depends: debhelper (>= 9), makedev (>= 2.3.1-69) [linux-any], tar (>= 
> 1.28)
>  Standards-Version: 3.9.6
>  Vcs-Browser: https://anonscm.debian.org/cgit/d-i/debootstrap.git
>  Vcs-Git: https://anonscm.debian.org/git/d-i/debootstrap.git

Thanks for the patch.

I'm not sure it's reasonable to introduce a versioned build-dep on tar
at this point: 1.28 is only available in sid and stretch, and we tend to
backport debootstrap semi-regularly to stable.

Is there any chance we could detect which tar version/features we have,
and only add --sort=name when it's fine to do so?


KiBi.

Attachment: signature.asc
Description: Digital signature

Reply via email to