| Message ID | 87ecf117f50e4758946f6b0ce54436f09435f4bc.1694556946.git.yann.morin.1998@free.fr |
|---|---|
| State | Accepted |
| Headers | show |
| Series | support/downloaf/git: add support for git attirbutes (branch yem/git-attributes) | expand |
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes: > When we generate the taballs off a local working copy of a VCS tree, > the umask is the one that we enforce in out top-level Makefile. > However, it is possible that a user manually tinkers in said working > copy (e.g. to check an upstream bug fix, or regression). If the user > umask is different from the one Buildroot enfirces, such tinkering > can impact the mode bits of the files, even if their content is not > modified. > When we eventually need to create a tarball from said working copy, > the VCS (e.g. git) will only be interested in checking whether the > content of the files have changed before chcking them out, and will > not look at, and restore/fix the mode bits. > As a consequence, we may create non-reproducible archives. > We fix that by enforcing the mode bits on the files before we create > the tarball: we disable the write and execute bits, and only set the > execute bit if the user execute bit is set. > Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> > Cc: Vincent Fazio <vfazio@xes-inc.com> Committed to 2023.02.x, 2023.05.x and 2023.08.x, thanks.
diff --git a/support/download/helpers b/support/download/helpers index 90a7d6c1ec..265685eff5 100755 --- a/support/download/helpers +++ b/support/download/helpers @@ -53,6 +53,9 @@ mk_tar_gz() { tmp="$(mktemp --tmpdir="$(pwd)")" pushd "${in_dir}" >/dev/null + # Enforce group/others mode bits + chmod -R go-wx+X . + # Establish list find . -not -type d -and -not \( -false "${find_opts[@]}" \) >"${tmp}.list" # Sort list for reproducibility
When we generate the taballs off a local working copy of a VCS tree, the umask is the one that we enforce in out top-level Makefile. However, it is possible that a user manually tinkers in said working copy (e.g. to check an upstream bug fix, or regression). If the user umask is different from the one Buildroot enfirces, such tinkering can impact the mode bits of the files, even if their content is not modified. When we eventually need to create a tarball from said working copy, the VCS (e.g. git) will only be interested in checking whether the content of the files have changed before chcking them out, and will not look at, and restore/fix the mode bits. As a consequence, we may create non-reproducible archives. We fix that by enforcing the mode bits on the files before we create the tarball: we disable the write and execute bits, and only set the execute bit if the user execute bit is set. Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr> Cc: Vincent Fazio <vfazio@xes-inc.com> --- support/download/helpers | 3 +++ 1 file changed, 3 insertions(+)