Merge #21271: guix: Explicitly set umask in build container

fanquake · fanquake · commit 56f06a986385 · 2021-02-25T08:22:04.000+08:00
d98f459 guix: Explicitly set umask in build container (Carl Dong) Pull request description: Opened as a separate PR to fix non-reproducibility found through testing here: bitcoin/bitcoin#21089 (comment) Many thanks to everyone who helped find this! ACKs for top commit: laanwj: ACK d98f459 fanquake: ACK d98f459 - I'm seeing matching hashes. Tree-SHA512: ea339c3902f2f4dea32e8ef5cc675a1df0679530881260ae999aaaf7339d5b12c46e01e58677cbb079f33e573ad105e2b443a835f3e944ef8e943a25f83027f1
diff --git a/contrib/guix/libexec/build.sh b/contrib/guix/libexec/build.sh
@@ -3,6 +3,16 @@ export LC_ALL=C
 set -e -o pipefail
 export TZ=UTC
 
+# Althought Guix _does_ set umask when building its own packages (in our case,
+# this is all packages in manifest.scm), it does not set it for `guix
+# environment`. It does make sense for at least `guix environment --container`
+# to set umask, so if that change gets merged upstream and we bump the
+# time-machine to a commit which includes the aforementioned change, we can
+# remove this line.
+#
+# This line should be placed before any commands which creates files.
+umask 0022
+
 if [ -n "$V" ]; then
     # Print both unexpanded (-v) and expanded (-x) forms of commands as they are
     # read from this file.
