[Buildroot] [PATCH v5 1/1] package/tar: bump target version to 1.32

Carlos Santos unixmania at gmail.com
Sat Jan 18 12:16:56 UTC 2020 

On Fri, Jan 17, 2020 at 11:26 PM James Hilliard
<james.hilliard1 at gmail.com> wrote:
>
> From: Luc Creti <luc.creti at atos.net>
>
> The host tar is used to create the archives in the VCS download backends
> (git, cvs, svn, hg...) and tar 1.30 and forward have changed the way
> they generate the archives.
>
> So, all the archives that have been generated before 1.30 was released
> are not bit-for-bit reproducible (even though the extracted content
> would be), so the hashes we have for those archives would not match.
>
> Hence host-tar requires a patch to restore reproducibility.
>
> Extract host-tar with tar from build host instead of using cpio.gz.
>
> Fixes: https://bugs.busybox.net/show_bug.cgi?id=12256
>
> Signed-off-by: Luc Creti <luc.creti at atos.net>
> Signed-off-by: Carlos Santos <unixmania at gmail.com>
> Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
> ---
> Changes v0->v1:
>   - Commit message rewritten based on comment from Yann E. MORIN
> Changes v1->v2:
>   - Title modified to enphasize that host-tar is kept at 1.29
> Changes v2->v3
>   - Add a comment in the .mk file that explains why the host-tar package
>     is kept at 1.29 and not bumped to any higher version
>   - Add missing spaces around '='
>   - Spell Author name as 'Luc Creti'
> Changes v3->v4
>   - Bump host-tar to 1.31 and patch it to restore reproducibility.
> Changes v4->v5
>   - Don't use cpio.gz.
> ---
>  .../0001-tar-fix-reproducibility-issue.patch  | 42 +++++++++++++++++++
>  package/tar/tar.hash                          |  3 +-
>  package/tar/tar.mk                            | 19 +++++----
>  3 files changed, 55 insertions(+), 9 deletions(-)
>  create mode 100644 package/tar/host/0001-tar-fix-reproducibility-issue.patch
>
> diff --git a/package/tar/host/0001-tar-fix-reproducibility-issue.patch b/package/tar/host/0001-tar-fix-reproducibility-issue.patch
> new file mode 100644
> index 0000000000..a2417694e4
> --- /dev/null
> +++ b/package/tar/host/0001-tar-fix-reproducibility-issue.patch
> @@ -0,0 +1,42 @@
> +From e79e62e3e066545ba5319e2a905e62a0bb47e9e1 Mon Sep 17 00:00:00 2001
> +From: Felix Fietkau <nbd at nbd.name>
> +Date: Mon, 19 Dec 2016 21:06:07 +0100
> +Subject: [PATCH] tar: fix reproducibility issue
> +
> +Force root/root as names for uid0/gid0 instead of using the system
> +names. This helps make packed download tarballs more reproducible
> +
> +Signed-off-by: Felix Fietkau <nbd at nbd.name>
> +Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
> +[James Hilliard: import patch from openwrt]
> +---
> + src/create.c | 13 ++-----------
> + 1 file changed, 2 insertions(+), 11 deletions(-)
> +
> +diff --git a/src/create.c b/src/create.c
> +index bb9c115..1baee36 100644
> +--- a/src/create.c
> ++++ b/src/create.c
> +@@ -543,17 +543,8 @@ write_gnu_long_link (struct tar_stat_info *st, const char *p, char type)
> +   union block *header;
> +
> +   header = start_private_header ("././@LongLink", size, 0);
> +-  if (! numeric_owner_option)
> +-    {
> +-      static char *uname, *gname;
> +-      if (!uname)
> +-      {
> +-        uid_to_uname (0, &uname);
> +-        gid_to_gname (0, &gname);
> +-      }
> +-      UNAME_TO_CHARS (uname, header->header.uname);
> +-      GNAME_TO_CHARS (gname, header->header.gname);
> +-    }
> ++  UNAME_TO_CHARS ("root", header->header.uname);
> ++  GNAME_TO_CHARS ("root", header->header.gname);
> +
> +   strcpy (header->buffer + offsetof (struct posix_header, magic),
> +         OLDGNU_MAGIC);
> +--
> +2.20.1
> +
> diff --git a/package/tar/tar.hash b/package/tar/tar.hash
> index 60309bab8f..0a0516ddd9 100644
> --- a/package/tar/tar.hash
> +++ b/package/tar/tar.hash
> @@ -1,4 +1,3 @@
>  # Locally calculated after checking signature
> -sha256 402dcfd0022fd7a1f2c5611f5c61af1cd84910a760a44a688e18ddbff4e9f024        tar-1.29.tar.xz
> -sha256 9173f222464dd3676118408840da5990527062b5c7daf6487bed7c396c45bfb1        tar-1.29.cpio.gz
> +sha256 d0d3ae07f103323be809bc3eac0dcc386d52c5262499fe05511ac4788af1fdd8        tar-1.32.tar.xz
>  sha256 8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903        COPYING
> diff --git a/package/tar/tar.mk b/package/tar/tar.mk
> index 6f609d7a02..84d79680b9 100644
> --- a/package/tar/tar.mk
> +++ b/package/tar/tar.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>
> -TAR_VERSION = 1.29
> +TAR_VERSION = 1.32
>  TAR_SOURCE = tar-$(TAR_VERSION).tar.xz
>  TAR_SITE = $(BR2_GNU_MIRROR)/tar
>  # busybox installs in /bin, so we need tar to install as well in /bin
> @@ -29,15 +29,11 @@ endif
>
>  $(eval $(autotools-package))
>
> -# host-tar: use cpio.gz instead of tar.gz to prevent chicken-egg problem
> -# of needing tar to build tar.
> -HOST_TAR_SOURCE = tar-$(TAR_VERSION).cpio.gz
>  define HOST_TAR_EXTRACT_CMDS
>         mkdir -p $(@D)
>         cd $(@D) && \
> -               $(call suitable-extractor,$(HOST_TAR_SOURCE)) $(TAR_DL_DIR)/$(HOST_TAR_SOURCE) | cpio -i --preserve-modification-time
> -       mv $(@D)/tar-$(TAR_VERSION)/* $(@D)
> -       rmdir $(@D)/tar-$(TAR_VERSION)
> +               $(call suitable-extractor,$(TAR_SOURCE)) $(TAR_DL_DIR)/$(TAR_SOURCE) \
> +               | tar --strip-components=1 -xf -
>  endef
>
>  HOST_TAR_CONF_OPTS = --without-selinux
> @@ -47,4 +43,13 @@ HOST_TAR_CONF_ENV = \
>         CC="$(HOSTCC_NOCCACHE)" \
>         CXX="$(HOSTCXX_NOCCACHE)"
>
> +# host-tar is used to create the archives in the VCS download backends and tar
> +# 1.30 and forward have changed the archive format. So archives generated with
> +# earlier versions are not bit-for-bit reproducible and the hashes would not
> +# match. We add a patch that restores the origional format to host-tar.
> +define HOST_TAR_APPLY_PATCHES
> +       $(APPLY_PATCHES) $(@D) package/tar/host \*.patch
> +endef
> +HOST_TAR_POST_PATCH_HOOKS += HOST_TAR_APPLY_PATCHES
> +
>  $(eval $(host-autotools-package))
> --
> 2.20.1
>

Tested-by: Carlos Santos <unixmania at gmail.com>
---
Compared an archive generated with host-tar 1.29 with one generated
with the patched host-tar 1.32.

$ mkdir beaglebone_qt5
$ cd beaglebone_qt5
$ make -C ../buildroot O=$PWD beaglebone_qt5_defconfig
$ echo $BR2_DL_DIR
/home/casantos/src
$ grep TI_SGX_UM_VERSION ../buildroot/package/ti-sgx-um/ti-sgx-um.mk
TI_SGX_UM_VERSION = 2a2e5bb090ced870d73ed4edbc54793e952cc6d8
$ ls -ld ~/src/ti-sgx-um/ti-sgx-um-2a2e5bb090ced870d73ed4edbc54793e952cc6d8.tar.gz
-rw-r--r--. 1 casantos casantos 56M Nov 15 00:28
/home/casantos/src/ti-sgx-um/ti-sgx-um-2a2e5bb090ced870d73ed4edbc54793e952cc6d8.tar.gz
$ sha256sum ~/src/ti-sgx-um/ti-sgx-um-2a2e5bb090ced870d73ed4edbc54793e952cc6d8.tar.gz
cb1373a6335af3d3741c6b11cf217afc8bdbe182642229df359c38e3ccfc5866
/home/casantos/src/ti-sgx-um/ti-sgx-um-2a2e5bb090ced870d73ed4edbc54793e952cc6d8.tar.gz
$ rm ~/src/ti-sgx-um/ti-sgx-um-2a2e5bb090ced870d73ed4edbc54793e952cc6d8.tar.gz
$ make ti-sgx-um-source
$ sha256sum ~/src/ti-sgx-um/ti-sgx-um-2a2e5bb090ced870d73ed4edbc54793e952cc6d8.tar.gz
| grep cb1373a6335af3d3741c6b11cf217afc8bdbe182642229df359c38e3ccfc5866
cb1373a6335af3d3741c6b11cf217afc8bdbe182642229df359c38e3ccfc5866
/home/casantos/src/ti-sgx-um/ti-sgx-um-2a2e5bb090ced870d73ed4edbc54793e952cc6d8.tar.gz
$ host/bin/tar --version
tar (GNU tar) 1.32
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by John Gilmore and Jay Fenlason.

More information about the buildroot mailing list