Your message dated Mon, 16 Jan 2017 18:03:49 +0000
with message-id <[email protected]>
and subject line Bug#783210: fixed in glibc 2.24-9
has caused the Debian Bug report #783210,
regarding glibc: please make the package build reproducibly
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
783210: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783210
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: glibc
Version: 2.19-18
Severity: wishlist
Tags: patch
User: [email protected]
Usertags: timestamps fileordering umask username uname
Hi!
While working on the “reproducible builds” effort [1], we have noticed
that glibc could not be built reproducibly.
The attached patch addresses several issues:
1. The source tarball will now stay identical despite variations of
the time of the build, user, group, umask and file ordering.
2. version-info.h currently captures the build time and the current
kernel version. In the context of Debian this is not really useful
and a new patch simply removes it. The behavior is now the same
if built under Linux or not.
3. nscd uses the date and time of the build as a version marker. So a
patch is added to allow the build date to be set externally. The date
of the latest debian/changelog entry will be used instead of the
current time for Debian.
Once applied, glibc can be built reproducibly in our current
experimental framework.
[1]: https://wiki.debian.org/ReproducibleBuilds
--
Lunar .''`.
[email protected] : :Ⓐ : # apt-get install anarchism
`. `'`
`-
diff --git a/debian/changelog b/debian/changelog
index a06fc11..fbb6d32 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+glibc (2.19-18.0~reproducible1) UNRELEASED; urgency=low
+
+ * Make the package build reproducibly:
+ - any/local-reproducible-version-info.diff: new patch to remove build
+ system information and build date from version-info.h.
+ - any/unsubmitted-allow-to-set-build-date.diff: allow to set the
+ build date through an environment variable when running ./configure.
+ This is then used in nscd.
+ - Set the previously mentioned build date to the latest debian/changelog
+ entry.
+ - Create source tarball in a deterministic manner: adjust file
+ modification time, user, group, permissions, and file order.
+
+ -- Jérémy Bobbio <[email protected]> Thu, 23 Apr 2015 11:18:59 +0200
+
glibc (2.19-18) unstable; urgency=medium
[ Aurelien Jarno ]
diff --git a/debian/patches/any/local-reproducible-version-info.diff b/debian/patches/any/local-reproducible-version-info.diff
new file mode 100644
index 0000000..06012ea
--- /dev/null
+++ b/debian/patches/any/local-reproducible-version-info.diff
@@ -0,0 +1,49 @@
+To enable glibc to build reproducibly, we remove build system information
+and build date from version-info.h.
+
+diff --git a/csu/Makefile b/csu/Makefile
+index b5afea0..211c2e6 100644
+--- a/csu/Makefile
++++ b/csu/Makefile
+@@ -133,40 +133,7 @@ all-Banner-files = $(wildcard $(addsuffix /Banner,\
+ $(sysdeps-srcdirs))))
+ $(objpfx)version-info.h: $(common-objpfx)config.make $(all-Banner-files)
+ $(make-target-directory)
+- (case $(config-os) in \
+- linux*) version=`(printf '%s\n%s\n' \
+- '#include <linux/version.h>' \
+- UTS_RELEASE \
+- | $(CC) $(CPPFLAGS) -O -E -P - -DNOT_IN_libc=1 | \
+- sed -e 's/"\([^"]*\)".*/\1/p' -e d) 2>/dev/null`;\
+- if [ -z "$$version" ]; then \
+- version=`(printf '%s\n%s\n' \
+- '#include <linux/version.h>' \
+- LINUX_VERSION_CODE \
+- | $(CC) $(CPPFLAGS) -O -E -P - -DNOT_IN_libc=1 \
+- | sed -n -e '/^[123456789].*/p' \
+- | awk '{v=$$1; \
+- printf("%d.%d.%d\n", \
+- v/65535, v/256%256, v%256)}') \
+- 2>/dev/null`; \
+- fi; \
+- if [ -z "$$version" ]; then \
+- if [ -r /proc/version ]; then \
+- version=`sed 's/.*Linux version \([^ ]*\) .*/>>\1<</' \
+- < /proc/version`; \
+- else \
+- version=`uname -r`; \
+- fi; \
+- fi; \
+- os=`uname -s 2> /dev/null`; \
+- if [ -z "$$os" ]; then \
+- os=Linux; \
+- fi; \
+- printf '"Compiled on a %s %s system on %s.\\n"\n' \
+- "$$os" "$$version" "`date +%Y-%m-%d`";; \
+- *) ;; \
+- esac; \
+- files="$(all-Banner-files)"; \
++ (files="$(all-Banner-files)"; \
+ if test -n "$$files"; then \
+ printf '"Available extensions:\\n"\n'; \
+ sed -e '/^#/d' -e 's/^[[:space:]]*/ /' \
diff --git a/debian/patches/any/unsubmitted-allow-to-set-build-date.diff b/debian/patches/any/unsubmitted-allow-to-set-build-date.diff
new file mode 100644
index 0000000..df7662a
--- /dev/null
+++ b/debian/patches/any/unsubmitted-allow-to-set-build-date.diff
@@ -0,0 +1,75 @@
+nscd uses the date and time of the build as a version marker. In order to allow
+builds to be reproducible, we now allow the date to be set by the environment
+variable BUILD_DATE when running ./configure.
+
+diff --git a/config.h.in b/config.h.in
+index 40797e7..02ccb2d 100644
+--- a/config.h.in
++++ b/config.h.in
+@@ -246,3 +246,6 @@
+ #undef HAVE_MIPS_NAN2008
+
+ #endif
++
++/* Date and time of the build. */
++#undef BUILD_DATE
+diff --git a/configure.ac b/configure.ac
+index f3dd87d..aa0b30d 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -2173,6 +2173,11 @@ RELEASE=`sed -n -e 's/^#define RELEASE "\([^"]*\)"/\1/p' < $srcdir/version.h`
+ AC_SUBST(VERSION)
+ AC_SUBST(RELEASE)
+
++if "x$BUILD_DATE" = x; then
++ BUILD_DATE=`LC_ALL=C date -u '+%b %_d %Y %H:%M:%S'`
++fi
++AC_DEFINE_UNQUOTED([BUILD_DATE], ["$BUILD_DATE"], "Date and time of the build.")
++
+ AC_CONFIG_FILES([config.make Makefile])
+ AC_CONFIG_COMMANDS([default],[[
+ case $CONFIG_FILES in *config.make*)
+diff --git a/configure b/configure
+index fc023d0..b03be3f 100755
+--- a/configure
++++ b/configure
+@@ -7387,6 +7394,15 @@
+
+
+
++if "x$BUILD_DATE" = x; then
++ BUILD_DATE=`LC_ALL=C date -u '+%b %_d %Y %H:%M:%S'`
++fi
++
++cat >>confdefs.h <<_ACEOF
++#define BUILD_DATE "$BUILD_DATE"
++_ACEOF
++
++
+ ac_config_files="$ac_config_files config.make Makefile"
+
+ ac_config_commands="$ac_config_commands default"
+diff --git a/nscd/nscd_stat.c b/nscd/nscd_stat.c
+index 997ff46..1e75b84 100644
+--- a/nscd/nscd_stat.c
++++ b/nscd/nscd_stat.c
+@@ -28,6 +28,7 @@
+ #include <libintl.h>
+
+ #include "nscd.h"
++#include "config.h"
+ #include "dbg_log.h"
+ #include "selinux.h"
+ #ifdef HAVE_SELINUX
+@@ -37,7 +38,11 @@
+
+
+ /* We use this to make sure the receiver is the same. */
++#ifdef BUILD_DATE
++static const char compilation[21] = BUILD_DATE;
++#else
+ static const char compilation[21] = __DATE__ " " __TIME__;
++#endif
+
+ /* Statistic data for one database. */
+ struct dbstat
diff --git a/debian/patches/series b/debian/patches/series
index a5f9cac..5a95f62 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -272,3 +272,5 @@ any/cvs-getnetbyname.diff
any/cvs-vfprintf.diff
any/cvs-wscanf.diff
any/cvs-ldconfig-aux-cache.diff
+any/local-reproducible-version-info.diff
+any/unsubmitted-allow-to-set-build-date.diff
diff --git a/debian/rules b/debian/rules
index 24167cd..e483a4e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -58,6 +58,11 @@ DEB_SOURCE_PACKAGE := $(strip $(shell egrep '^Source: ' debian/control | cut -f
DEB_VERSION := $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ')
GLIBC_VERSION = $(shell echo $(DEB_VERSION) | sed -e 's/.*://' -e 's/-.*//')
+DEB_BUILD_DATE := $(shell dpkg-parsechangelog -S Date)
+# this one will be picked by configure script
+BUILD_DATE = $(shell date -u +'%b %_d %Y %H:%M:%S' -d '$(DEB_BUILD_DATE)')
+export BUILD_DATE
+
DEB_BUILDDIR ?= $(build-tree)/$(DEB_HOST_ARCH)-$(curpass)
GLIBC_SOURCES = $(addprefix $(shell basename $(CURDIR))/, \
diff --git a/debian/rules.d/build.mk b/debian/rules.d/build.mk
index 4df383c..91b8cab 100644
--- a/debian/rules.d/build.mk
+++ b/debian/rules.d/build.mk
@@ -275,9 +275,17 @@ endif
$(stamp)source: $(stamp)patch
mkdir -p $(build-tree)
- tar -c -J -C .. \
- -f $(build-tree)/glibc-$(GLIBC_VERSION).tar.xz \
- $(GLIBC_SOURCES)
+ cd .. && \
+ find $(GLIBC_SOURCES) -depth -newermt '$(DEB_BUILD_DATE)' \
+ -print0 | \
+ xargs -0r touch --no-dereference --date='$(DEB_BUILD_DATE)'
+ cd .. && \
+ find $(GLIBC_SOURCES) -print0 | \
+ LC_ALL=C sort -z | \
+ tar -c -J --null -T - --no-recursion \
+ --mode=go=rX,u+rw,a-s \
+ --owner=root --group=root --numeric-owner \
+ -f $(CURDIR)/$(build-tree)/glibc-$(GLIBC_VERSION).tar.xz
mkdir -p debian/glibc-source/usr/src/glibc
tar cf - --files-from debian/glibc-source.filelist \
| tar -x -C debian/glibc-source/usr/src/glibc -f -
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: glibc
Source-Version: 2.24-9
We believe that the bug you reported is fixed in the latest version of
glibc, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Aurelien Jarno <[email protected]> (supplier of updated glibc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Jan 2017 18:43:37 +0100
Source: glibc
Binary: libc-bin libc-dev-bin libc-l10n glibc-doc glibc-source locales
locales-all nscd multiarch-support libc6 libc6-dev libc6-dbg libc6-pic
libc6-udeb libc6.1 libc6.1-dev libc6.1-dbg libc6.1-pic libc6.1-udeb libc0.3
libc0.3-dev libc0.3-dbg libc0.3-pic libc0.3-udeb libc0.1 libc0.1-dev
libc0.1-dbg libc0.1-pic libc0.1-udeb libc6-i386 libc6-dev-i386 libc6-sparc
libc6-dev-sparc libc6-sparc64 libc6-dev-sparc64 libc6-s390 libc6-dev-s390
libc6-amd64 libc6-dev-amd64 libc6-powerpc libc6-dev-powerpc libc6-ppc64
libc6-dev-ppc64 libc6-mips32 libc6-dev-mips32 libc6-mipsn32 libc6-dev-mipsn32
libc6-mips64 libc6-dev-mips64 libc0.1-i386 libc0.1-dev-i386 libc6-x32
libc6-dev-x32 libc6-xen libc0.3-xen libc6.1-alphaev67 libc0.1-i686 libc0.3-i686
libc6-i686
Architecture: source
Version: 2.24-9
Distribution: unstable
Urgency: medium
Maintainer: GNU Libc Maintainers <[email protected]>
Changed-By: Aurelien Jarno <[email protected]>
Description:
glibc-doc - GNU C Library: Documentation
glibc-source - GNU C Library: sources
libc-bin - GNU C Library: Binaries
libc-dev-bin - GNU C Library: Development binaries
libc-l10n - GNU C Library: localization files
libc0.1 - GNU C Library: Shared libraries
libc0.1-dbg - GNU C Library: detached debugging symbols
libc0.1-dev - GNU C Library: Development Libraries and Header Files
libc0.1-dev-i386 - GNU C Library: 32bit development libraries for AMD64
libc0.1-i386 - GNU C Library: 32bit shared libraries for AMD64
libc0.1-i686 - transitional dummy package
libc0.1-pic - GNU C Library: PIC archive library
libc0.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3 - GNU C Library: Shared libraries
libc0.3-dbg - GNU C Library: detached debugging symbols
libc0.3-dev - GNU C Library: Development Libraries and Header Files
libc0.3-i686 - transitional dummy package
libc0.3-pic - GNU C Library: PIC archive library
libc0.3-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc0.3-xen - GNU C Library: Shared libraries [Xen version]
libc6 - GNU C Library: Shared libraries
libc6-amd64 - GNU C Library: 64bit Shared libraries for AMD64
libc6-dbg - GNU C Library: detached debugging symbols
libc6-dev - GNU C Library: Development Libraries and Header Files
libc6-dev-amd64 - GNU C Library: 64bit Development Libraries for AMD64
libc6-dev-i386 - GNU C Library: 32-bit development libraries for AMD64
libc6-dev-mips32 - GNU C Library: o32 Development Libraries for MIPS
libc6-dev-mips64 - GNU C Library: 64bit Development Libraries for MIPS64
libc6-dev-mipsn32 - GNU C Library: n32 Development Libraries for MIPS64
libc6-dev-powerpc - GNU C Library: 32bit powerpc development libraries for
ppc64
libc6-dev-ppc64 - GNU C Library: 64bit Development Libraries for PowerPC64
libc6-dev-s390 - GNU C Library: 32bit Development Libraries for IBM zSeries
libc6-dev-sparc - GNU C Library: 32bit Development Libraries for SPARC
libc6-dev-sparc64 - GNU C Library: 64bit Development Libraries for UltraSPARC
libc6-dev-x32 - GNU C Library: X32 ABI Development Libraries for AMD64
libc6-i386 - GNU C Library: 32-bit shared libraries for AMD64
libc6-i686 - transitional dummy package
libc6-mips32 - GNU C Library: o32 Shared libraries for MIPS
libc6-mips64 - GNU C Library: 64bit Shared libraries for MIPS64
libc6-mipsn32 - GNU C Library: n32 Shared libraries for MIPS64
libc6-pic - GNU C Library: PIC archive library
libc6-powerpc - GNU C Library: 32bit powerpc shared libraries for ppc64
libc6-ppc64 - GNU C Library: 64bit Shared libraries for PowerPC64
libc6-s390 - GNU C Library: 32bit Shared libraries for IBM zSeries
libc6-sparc - GNU C Library: 32bit Shared libraries for SPARC
libc6-sparc64 - GNU C Library: 64bit Shared libraries for UltraSPARC
libc6-udeb - GNU C Library: Shared libraries - udeb (udeb)
libc6-x32 - GNU C Library: X32 ABI Shared libraries for AMD64
libc6-xen - GNU C Library: Shared libraries [Xen version]
libc6.1 - GNU C Library: Shared libraries
libc6.1-alphaev67 - GNU C Library: Shared libraries (EV67 optimized)
libc6.1-dbg - GNU C Library: detached debugging symbols
libc6.1-dev - GNU C Library: Development Libraries and Header Files
libc6.1-pic - GNU C Library: PIC archive library
libc6.1-udeb - GNU C Library: Shared libraries - udeb (udeb)
locales - GNU C Library: National Language (locale) data [support]
locales-all - GNU C Library: Precompiled locale data
multiarch-support - Transitional package to ensure multiarch compatibility
nscd - GNU C Library: Name Service Cache Daemon
Closes: 783210 796106 847596 850182 850565
Changes:
glibc (2.24-9) unstable; urgency=medium
.
[ Samuel Thibault ]
* hurd-i386/tg-libpthread-gsync-mutex.diff: Update patch, fixes trylock
error return.
* hurd-i386/tg-magic-pid.diff: New patch, add support for /proc/self.
* hurd-i386/tg-mlockall.diff: New patch, add support for mlockall.
- control: Bump gnumach-dev build-depend accordingly.
* hurd-i386/tg-gsync-libc.diff: Fix linking against built libmachuser
instead of installed libmachuser.
* libc0.3.symbols.hurd-i386: Add vm_wire_all symbols.
.
[ Aurelien Jarno ]
* debian/sysdeps/{amd64,i386,x32}.mk: disable lock elision (aka Intel TSX)
on x86 architectures. This causes programs (wrongly) unlocking an already
unlocked mutex to abort. More importantly most of the other distributions
decided to disable it, so we don't want to be the only distribution left
testing this code path. Closes: #850182.
* debian/rules.d/build.mk: pass --no-recursion before -T in the call to tar
to workaround or fix bug#829738. This reduces the size of the glibc-source
package by 40%
* debian/patches/localedata/supported.diff: rename the kk_KZ locale with the
RK1048 charset to kk_KZ.RK1048 to avoid conflicting with the kk_KZ locale
with the PT154 charset. Closes: #847596.
* debian/patches/git-updates.diff: update from upstream stable branch:
- debian/patches/alpha/submitted-math-fixes.diff: Drop, merged upstream.
* patches/any/cvs-resolv-internal-qtype.diff: patch from upstream to fix a
NULL pointer dereference in libresolv when receiving a T_UNSPEC internal
QTYPE (CVE-2015-5180). Closes: #796106.
* Make the package build reproducibly, thanks to Ximin Luo for the patch.
Closes: #783210.
- debian/rules: export SOURCE_DATE_EPOCH when not building with
dpkg-buildpackage.
- debian/rules.d/build.mk: use --clamp-mtime instead of touching the
files.
- debian/rules.d/debhelper.mk: do not chmod +x the shell script, call
it with sh instead.
* debian/rules.d/control.mk: Add the sh3 architecture to libc6_archs.
Closes: #850565.
Checksums-Sha1:
55330e604868f98ee591d296f1f6606049ed7bf3 8351 glibc_2.24-9.dsc
8451261dd2f792c726a28535949f767437c40192 973160 glibc_2.24-9.debian.tar.xz
Checksums-Sha256:
c7ca2d54ff9b5e1cc32db75b9430d8caa51aa6c6b6aa40d06f7823905fcf7cc6 8351
glibc_2.24-9.dsc
942db07a2d095530aa2d54d55b4acddfe93b53abc4599c20d9705b0f95a740fe 973160
glibc_2.24-9.debian.tar.xz
Files:
3c9ffbdb695c7a8ef8c6f6a834d6c738 8351 libs required glibc_2.24-9.dsc
fbfb8f0fa5e1c79046406b55730ac274 973160 libs required
glibc_2.24-9.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEd0YmQqnvlP0Pdxltupx4Bh3djJsFAlh9BsQACgkQupx4Bh3d
jJviLRAAq3AwAqkKX9lAZgXKr4jp78nXnR8UPGlhK2zay6AjdK9UAUPvs4qcZzJg
dPxsLppRR0Bj2xgqJIZeetU93F8U1aEO2aAiCEybR9uZw72p/5h0EyAW5szBtdnD
NQxLwFfull+rRQ/j6SDd0XcLXiW0sVWrWo76AM4ThE0kRkCCGAL3l2zV9VSDz6hQ
gbnjyr4TKZf6ncjDMvaH5VAMkggW5fbzoWNr1qgaVNtOMQWTO3If+Yq5fKTYC3ae
ue0961defooNHGY+2qehO/ge4eM8Ox4vx30H1+z8jq0FKfYeyFkND8H4TRryPTdw
s7IyhM9rtOaCduy/aWMbMO2rT+UglDHaI02jYWpKWG6aQKUTZouErc/qO1K1EnrY
/ZSLRC202QOKl6pHTVqtoOlxIjOjPUn5aLpJRl6OZtG+Fw2I7S7ek32iHWS0pxsG
sU5/2vViILqqKyGsM1XR1GBN9v2TUAE4qJJz9ecCDjf+osiL01B9ZE4LdOMSyR6I
jdbQKjWW+o6bZBIPD8m+8F2VxzHo/sAOFa9MurHBrg0jDTXbg6oY3eQ9TrVWHttA
WviECWIiwAzAq/aoaBmD+iHZWJG4fXX6lypV+I6NtgYVS4HsUK7XR8CiuQ8lgOrU
RvNpRGW7WKHKsbvaJQHFXwEKIDOsZKjSMktb6AbMBoEBEIKP9Dg=
=QJTM
-----END PGP SIGNATURE-----
--- End Message ---
