misc/58196: [RB] Install ISO images leak local user/group information

[jbglaw%lug-owl.de@localhost]

>Number:         58196
>Category:       misc
>Synopsis:       [RB] Install ISO images leak local user/group information
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 25 18:00:01 +0000 2024
>Originator:     Jan-Benedict Glaw
>Release:        current
>Organization:
>Environment:
Linux lili 5.16.0-4-amd64 #1 SMP PREEMPT Debian 5.16.12-1 (2022-03-08) x86_64 GNU/Linux

NetBSD nnetbsd-template.intern.jbglaw.lug-owl.de 10.99.10 NetBSD 10.99.10 (GENERIC) #0:   mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
As I'm working on reproducibility, I noticed that generated ISO images leak user/group information for a good number of files.

In principle, `makefs` is called with a manifest that sets uid/gid information for all files/directories. However, many of the files aren't listed there, so `lstat()` information is taken instead.

There are two (two and a half) routes to go:

  1.  Extend the manifest to contain _all_ files (additional including
      the sets, kernels, ...); and
  1b. possibly error out in case a file that is _not_ listed in the
      manifest would be added; or
  2.  prepare a default user/group id for non-listed files.

>How-To-Repeat:
Build a release / iso-image / install-image on a NetBSD/amd64 and a Linux/amd64 host system and compare the generated ISO images.

As I'm still working on ironing out port-specific build differences, please use the vax or sparc64 ports as others may contain additional differences not relevant to this (generic) issue.
>Fix:
Add everything to the manifest or prepare a default to be used.