Bug#920631: debian-installer: Ensure build is reproducible regardless of the user's umask(2)
Hi,
> debian-installer: Ensure build is reproducible regardless of the user's umask(2)
Updated patch attached; we were not setting the permissions
correctly on character/block devices, specifically the /dev/console
(etc.) that we manually create with mknod.
The relevant interdiff is:
- find $(1) -type f -print0 | xargs -0r chmod $(FILE_MODE)
+ find $(1) -not -type d -print0 | xargs -0r chmod $(FILE_MODE)
Regards,
--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-
From 268beba9a6a9ac0fc7d419bf7473b8974e8b0e93 Mon Sep 17 00:00:00 2001
From: Chris Lamb <lamby@debian.org>
Date: Mon, 28 Jan 2019 09:23:14 +0100
Subject: [PATCH] Ensure build is reproducible regardless of the user's
umask(2).
Set consistent file creation modes at strategic points to ensure that the
resulting build is reproducible regardless of whether the user is using the
default Debian umask (022) or another (eg. 002).
---
build/Makefile | 16 ++++++++++++----
build/config/common | 5 +++++
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/build/Makefile b/build/Makefile
index 2e6a0c76c..ebbca4bdf 100644
--- a/build/Makefile
+++ b/build/Makefile
@@ -146,6 +146,11 @@ define clamp_mtimes
find $(1) -newermt "@$(SOURCE_DATE_EPOCH)" -print0 | xargs -0r touch --no-dereference --date="@$(SOURCE_DATE_EPOCH)"
endef
+define normalise_permissions
+ find $(1) -type d -print0 | xargs -0r chmod $(DIR_MODE)
+ find $(1) -not -type d -print0 | xargs -0r chmod $(FILE_MODE)
+endef
+
# Limit on mfsroot size. It is determined by NKPT (in <machine/pmap.h).
# On amd64, it can be increased by increasing this variable. On i386,
# this is a hard limit due to constraints of 4 GiB VM space.
@@ -312,6 +317,7 @@ release:
cd $(BASE_DEST) && sha256sum `find -L . -type f | sort` > SHA256SUMS
# We have just modified files
$(clamp_mtimes) $(BASE_DEST)
+ $(normalise_permissions) $(BASE_DEST)
# The general tree target.
$(STAMPS)tree-unpack-$(targetstring)-stamp: $(STAMPS)get_udebs-$(targetstring)-stamp
@@ -654,9 +660,10 @@ endif
# Remove extra udebs now that we're done with them.
rm -rf $(EXTRAUDEBSDIR)
- # Clamp timestamps to be no later than SOURCE_DATE_EPOCH before they
- # get added to media.
+ # Clamp timestamps to be no later than SOURCE_DATE_EPOCH and normalise
+ # file modes before they get added to media.
$(clamp_mtimes) $(TREE)
+ $(normalise_permissions) $(TREE)
# Tree target ends here. Whew!
@touch $@
@@ -754,9 +761,10 @@ ifeq ($(DEB_HOST_ARCH_OS),hurd)
fi
endif
- # We may have modified $(TREE)/lib, so re-clamp before placing these
- # files into archives.
+ # We may have modified $(TREE)/lib, so re-clamp and normalise before
+ # placing these files into archives.
$(clamp_mtimes) $(TREE)/lib
+ $(normalise_permissions) $(TREE)/lib
install -d $(TEMP)
diff --git a/build/config/common b/build/config/common
index 4ef4609ca..74f7d2dcb 100644
--- a/build/config/common
+++ b/build/config/common
@@ -69,6 +69,11 @@ SOURCE_DATE_EPOCH ?= $(shell date '+%s')
# to reproduce the build.
BUILD_DATE ?= $(shell date -u '+%Y%m%d-%H:%M:%S' -d '@$(SOURCE_DATE_EPOCH)')
+# Set consistent file creation modes for a reproducible build, taking care
+# not to modify existing executable bits on files.
+DIR_MODE = 755
+FILE_MODE = u+rw,g+r-w,o+r-w
+
# Produce a beep at boot menu
BOOTMENU_BEEP ?= n
--
2.20.1
Reply to: