- Package:
- src:gfxboot
- Source:
- gfxboot
- Submitter:
- Vagrant Cascadian
- Date:
- 2025-09-02 19:19:01 UTC
- Severity:
- normal
- Tags:
Various cpio archives shipped in gfxboot contain the user id and group id of the build user: https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/gfxboot.html etc/bootsplash/example_01/cdrom/bootlogo -rw-r--r--···1·····1111·····1111····42639·2020-12-24·13:17:48.000000·init vs. -rw-r--r--···1·····2222·····2222····42639·2022-01-26·19:45:05.000000·init The attached patch fixes this by passing the owner argument to the cpio calls when creating the archives. Unfortunately, the cpio archives also embed the timestamps of the files included, which will likely vary between builds, so this does not resolve all reproducibility issues with these archives. Thanks for maintaining gfxboot! live well, vagrant
Control: tags 978946 fixed-upstream This is fixed upstream: https://github.com/openSUSE/gfxboot/pull/35 Timestamp issues also fixed upstream in the same pull request. I think applying similar patches to themes/examples* may still be needed. live well, vagrant
The first two patches are the above mentioned patches from upstream, and fix the themes shipped in gfxboot-themes package. The remaining patches apply similar fixes to the gfxboot script and to the themes/examples* which are included in the gfxboot-dev package. One of the patches removes directories from the cpio archive, as the example themes only included a "." directory with timestamps. This patch needs further testing to ensure it behaves properly. With these patches and the locale patch from #979125, gfxboot should be reproducible. live well, vagrant
... Actually, using "find . -mindepth 1" instead of "find . -type f" seems safer, as it will only exclude the "." directory, in case a theme makes use of a subdirectory... though all currently shipped themes do not appear to include subdirectories. live well, vagrant
Control: forwarded 978946 https://github.com/openSUSE/gfxboot/pull/49 Control: retitle 978946 gfxboot: reproducible builds: Embeds user id, group id and timestamps in cpio files Submitted a pull request upstream for the patches not already applied upstream. live well, vagrant
user reproducible-builds@lists.alioth.debian.org usertags 978946 + timestamps thanks
We believe that the bug you reported is fixed in the latest version of
gfxboot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 978946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@reproducible-builds.org> (supplier of updated gfxboot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 03 Jan 2021 18:04:09 -0800
Source: gfxboot
Architecture: source
Version: 4.5.73-1
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Vagrant Cascadian <vagrant@reproducible-builds.org>
Closes: 783398 978946 979125
Changes:
gfxboot (4.5.73-1) unstable; urgency=medium
.
* QA upload.
* Update to new upstream version 4.5.73. (Closes: #783398)
* gfxboot: pass --reproducible and --owner to cpio. (Closes: #978946)
* gfxboot: avoid including the "." directory in the cpio archive.
(Closes: #978946)
* themes/example*/Makefile: Set time on files in example themes using
Makefile as a reference time. (Closes: #978946)
* debian/rules: Pass C.UTF-8 locale when building documentation.
(Closes: #979125)
* debian/control: Set Rules-Requires-Root to "no".
* debian/rules: Create a VERSION file since upstream expects it.
* debian/rules: Do not build test themes.
* debian/control: Update Vcs headers.
* debian/copyright: Use https URLs and drop broken link
* debian/control: Update Homepage.
* debian/source/options, debian/rules: Drop custom compression.
* Update to debhelper-compat 13.
* debian/rules: Remove obsolete dh_install override.
* debian/rules: Do not pass --parallel to dh as it is now the default.
* debian/rules: Add target to update upstream changelog.
* changelog.upstream: Add changelog for upstream version 4.5.73.
* debian/rules: Copy upstream changelog during build.
* gfxboot-themes: Add lintian override for
package-contains-documentation-outside-usr-share-doc.
* debian/control: Update Standards-Version to 4.5.1.
* debian/control: Add ${perl:Depends} to Depends.
Checksums-Sha1:
c2c5c7d74ab86c4b39d77940c226855844f1f449 1609 gfxboot_4.5.73-1.dsc
13de6fbf9acbfb5551a3a2804cf9e82c9870c3ef 9781997 gfxboot_4.5.73.orig.tar.gz
acc01c0cc21f274acbc3994b9c0c4b011874eea5 12716 gfxboot_4.5.73-1.debian.tar.xz
Checksums-Sha256:
6f23a28ae06f1decb79112990d8cc7d034134c92fb1f6e41d8533b7e1f626d6e 1609 gfxboot_4.5.73-1.dsc
13e2e3e225d9782b9adf82197176d9ba4545d8b613915f0b2b5628c3d99fc3bd 9781997 gfxboot_4.5.73.orig.tar.gz
15ef0ce75ecef853b2fe21879c0db21fb14b194cabba11d1d677be86879fad62 12716 gfxboot_4.5.73-1.debian.tar.xz
Files:
e08278a1f5692bf7c7fb13390a02a0bb 1609 misc optional gfxboot_4.5.73-1.dsc
500a2194268bb5c1dbb497b2b8105bd3 9781997 misc optional gfxboot_4.5.73.orig.tar.gz
53a759501f614a230e960d4bda0fc062 12716 misc optional gfxboot_4.5.73-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iJYEARYKAD4WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX/J5tSAcdmFncmFudEBy
ZXByb2R1Y2libGUtYnVpbGRzLm9yZwAKCRDcUY/If5cWqitCAP9NJvtds5zTP2ze
RRVyRluRrlRJiSukz/f3BxtlbkblnQD/aPOi35EZQReo+mHqDWUdfjXuwAOackm6
U3/BNsr4SQs=
=miBm
-----END PGP SIGNATURE-----
We believe that the bug you reported is fixed in the latest version of
gfxboot, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 978946@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Vagrant Cascadian <vagrant@reproducible-builds.org> (supplier of updated gfxboot package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 04 Jan 2021 10:14:56 -0800
Source: gfxboot
Architecture: source
Version: 4.5.73-2
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Vagrant Cascadian <vagrant@reproducible-builds.org>
Closes: 978946
Changes:
gfxboot (4.5.73-2) unstable; urgency=medium
.
* QA upload.
* themes/example*/Makefile: Use the .bc files as a reference date.
(Closes: #978946)
Checksums-Sha1:
68108cf087dd1b5e07a775119254ac2d93f77ac7 1609 gfxboot_4.5.73-2.dsc
1ed22c33845f539ae43e0d31ec715a8064ee8202 12976 gfxboot_4.5.73-2.debian.tar.xz
Checksums-Sha256:
69c201d5c09dd4bce41ccdbb1696847a082afada71a65964947d32cc7359c6f3 1609 gfxboot_4.5.73-2.dsc
facef39eb05480eae0513473cf7cc83d3e84dab376c438819e7ebb6cff8cefbc 12976 gfxboot_4.5.73-2.debian.tar.xz
Files:
b166d790bd9caee69638ea0bc5c7fbb4 1609 misc optional gfxboot_4.5.73-2.dsc
93eadf6e03dd78d0e1332425d6b09147 12976 misc optional gfxboot_4.5.73-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iJYEARYKAD4WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCX/Nc7yAcdmFncmFudEBy
ZXByb2R1Y2libGUtYnVpbGRzLm9yZwAKCRDcUY/If5cWqhqaAQDVky269lLwwZFS
BFjK6LdRLZyVNrYKvF65MWssg1cwHQD/c0nRF7hCnE/8EgPv15nXX74dcGY1qQqN
AAGHtUCAAwc=
=GnPI
-----END PGP SIGNATURE-----
Hi Vagrant,
I had a look into gfxboot and did a QA upload of the latest upstream
version since I realised the PR you referenced inside the bug log was
accepted. It seems your other PR regarding reproducibly[1] was not yet
accepted. I also realised your patches do not apply against the last
release (4.5.103) and so I did not incorporated these into the quilt
patches.
I admit I'm a bit clueless what to do next so I'm simply tagging the bug
help. I realised you did some previous QA uploads so I guess you would
have uploaded if you would have considered the problem solved.
Please note that when upgrading I have moved the package to the Debian
team on Salsa. I was told this works nicely with a dgit based workflow
as well. My motivation was simply to possibly attract more people
who can easily access the Debian team and might profit from Salsa CI.
Kind regards
Andreas.
[1] https://github.com/openSUSE/gfxboot/pull/49
Maybe they were fixed some other way? We'll see when the reproducible builds checks are run... :) Although, I seem to recall it was never a reliable non-determinism, so even a few Reproducible Builds checks might not prove the issue is fixed :/ Yeah, salsa probably makes more sense than dgit, as more people are actively using it. Thanks for checking in. I am not terribly attached to gfxboot, per se, really just wanted to make the Reproducible Builds numbers go up! UP! :) live well, vagrant
Hi Vagrant, Am Tue, Sep 02, 2025 at 10:31:15AM -0700 schrieb Vagrant Cascadian: Salsa CI is green. Me neither. Just wanted to make Salsa usage numbers go up. ;-) Kind regards Andreas.