[Buildroot] [PATCH v4 1/1] package/tar: bump target version to 1.32 (host is kept at 1.31)

James Hilliard james.hilliard1 at gmail.com
Thu Jan 16 00:16:00 UTC 2020


From: Luc Creti <luc.creti at atos.net>

The host tar is used to create the archives in the VCS download backends
(git, cvs, svn, hg...) and tar 1.30 and forward have changed the way
they generate the archives.

So, all the archives that have been generated before 1.30 was released
are not bit-for-bit reproducible (even though the extracted content
would be), so the hashes we have for those archives would not match.

Hence host-tar requires a patch to restore reproducibility.

Since there is no tar-1.32.cpio.gz available we must keep host-tar at
version 1.31.

Fixes: https://bugs.busybox.net/show_bug.cgi?id=12256

Signed-off-by: Luc Creti <luc.creti at atos.net>
Signed-off-by: Carlos Santos <unixmania at gmail.com>
Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
---
Changes v0->v1:
  - Commit message rewritten based on comment from Yann E. MORIN
Changes v1->v2:
  - Title modified to enphasize that host-tar is kept at 1.29
Changes v2->v3
  - Add a comment in the .mk file that explains why the host-tar package
    is kept at 1.29 and not bumped to any higher version
  - Add missing spaces around '='
  - Spell Author name as 'Luc Creti'
Changes v3->v4
  - Bump host-tar to 1.31 and patch it to restore reproducibility.
---
 .../0001-tar-fix-reproducibility-issue.patch  | 42 +++++++++++++++++++
 package/tar/tar.hash                          |  4 +-
 package/tar/tar.mk                            | 20 +++++++--
 3 files changed, 60 insertions(+), 6 deletions(-)
 create mode 100644 package/tar/host/0001-tar-fix-reproducibility-issue.patch

diff --git a/package/tar/host/0001-tar-fix-reproducibility-issue.patch b/package/tar/host/0001-tar-fix-reproducibility-issue.patch
new file mode 100644
index 0000000000..a2417694e4
--- /dev/null
+++ b/package/tar/host/0001-tar-fix-reproducibility-issue.patch
@@ -0,0 +1,42 @@
+From e79e62e3e066545ba5319e2a905e62a0bb47e9e1 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd at nbd.name>
+Date: Mon, 19 Dec 2016 21:06:07 +0100
+Subject: [PATCH] tar: fix reproducibility issue
+
+Force root/root as names for uid0/gid0 instead of using the system
+names. This helps make packed download tarballs more reproducible
+
+Signed-off-by: Felix Fietkau <nbd at nbd.name>
+Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
+[James Hilliard: import patch from openwrt]
+---
+ src/create.c | 13 ++-----------
+ 1 file changed, 2 insertions(+), 11 deletions(-)
+
+diff --git a/src/create.c b/src/create.c
+index bb9c115..1baee36 100644
+--- a/src/create.c
++++ b/src/create.c
+@@ -543,17 +543,8 @@ write_gnu_long_link (struct tar_stat_info *st, const char *p, char type)
+   union block *header;
+ 
+   header = start_private_header ("././@LongLink", size, 0);
+-  if (! numeric_owner_option)
+-    {
+-      static char *uname, *gname;
+-      if (!uname)
+-	{
+-	  uid_to_uname (0, &uname);
+-	  gid_to_gname (0, &gname);
+-	}
+-      UNAME_TO_CHARS (uname, header->header.uname);
+-      GNAME_TO_CHARS (gname, header->header.gname);
+-    }
++  UNAME_TO_CHARS ("root", header->header.uname);
++  GNAME_TO_CHARS ("root", header->header.gname);
+ 
+   strcpy (header->buffer + offsetof (struct posix_header, magic),
+ 	  OLDGNU_MAGIC);
+-- 
+2.20.1
+
diff --git a/package/tar/tar.hash b/package/tar/tar.hash
index 60309bab8f..f919168dc2 100644
--- a/package/tar/tar.hash
+++ b/package/tar/tar.hash
@@ -1,4 +1,4 @@
 # Locally calculated after checking signature
-sha256	402dcfd0022fd7a1f2c5611f5c61af1cd84910a760a44a688e18ddbff4e9f024	tar-1.29.tar.xz
-sha256	9173f222464dd3676118408840da5990527062b5c7daf6487bed7c396c45bfb1	tar-1.29.cpio.gz
+sha256	d0d3ae07f103323be809bc3eac0dcc386d52c5262499fe05511ac4788af1fdd8	tar-1.32.tar.xz
+sha256	a50fd6eaf2a554930064c18ff5a1016707ab8af5b739dd0890dca04656e7c2aa	tar-1.31.cpio.gz
 sha256	8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903	COPYING
diff --git a/package/tar/tar.mk b/package/tar/tar.mk
index 6f609d7a02..224519cae6 100644
--- a/package/tar/tar.mk
+++ b/package/tar/tar.mk
@@ -4,7 +4,10 @@
 #
 ################################################################################
 
-TAR_VERSION = 1.29
+# Host tar is kept at 1.31 because there is no cpio.gz archive available for
+# tar version 1.32
+HOST_TAR_VERSION = 1.31
+TAR_VERSION = 1.32
 TAR_SOURCE = tar-$(TAR_VERSION).tar.xz
 TAR_SITE = $(BR2_GNU_MIRROR)/tar
 # busybox installs in /bin, so we need tar to install as well in /bin
@@ -31,13 +34,13 @@ $(eval $(autotools-package))
 
 # host-tar: use cpio.gz instead of tar.gz to prevent chicken-egg problem
 # of needing tar to build tar.
-HOST_TAR_SOURCE = tar-$(TAR_VERSION).cpio.gz
+HOST_TAR_SOURCE = tar-$(HOST_TAR_VERSION).cpio.gz
 define HOST_TAR_EXTRACT_CMDS
 	mkdir -p $(@D)
 	cd $(@D) && \
 		$(call suitable-extractor,$(HOST_TAR_SOURCE)) $(TAR_DL_DIR)/$(HOST_TAR_SOURCE) | cpio -i --preserve-modification-time
-	mv $(@D)/tar-$(TAR_VERSION)/* $(@D)
-	rmdir $(@D)/tar-$(TAR_VERSION)
+	mv $(@D)/tar-$(HOST_TAR_VERSION)/* $(@D)
+	rmdir $(@D)/tar-$(HOST_TAR_VERSION)
 endef
 
 HOST_TAR_CONF_OPTS = --without-selinux
@@ -47,4 +50,13 @@ HOST_TAR_CONF_ENV = \
 	CC="$(HOSTCC_NOCCACHE)" \
 	CXX="$(HOSTCXX_NOCCACHE)"
 
+# host-tar is used to create the archives in the VCS download backends and tar
+# 1.30 and forward have changed the archive format. So archives generated with
+# earlier versions are not bit-for-bit reproducible and the hashes would not
+# match. We add a patch that restores the origional format to host-tar.
+define HOST_TAR_APPLY_PATCHES
+	$(APPLY_PATCHES) $(@D) package/tar/host \*.patch
+endef
+HOST_TAR_POST_PATCH_HOOKS += HOST_TAR_APPLY_PATCHES
+
 $(eval $(host-autotools-package))
-- 
2.20.1



More information about the buildroot mailing list