Your message dated Sun, 03 Jul 2016 22:41:47 +0000 with message-id <[email protected]> and subject line Bug#759999: fixed in dpkg 1.18.8 has caused the Debian Bug report #759999, regarding dpkg: please set reproducible timestamps in .deb ar file headers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 759999: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759999 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dpkg Version: 1.17.14 Severity: wishlist Tags: patch User: [email protected] Usertags: toolchain, timestamps X-Debbugs-Cc: [email protected] Hi! `.deb` are ar archives. The archive internal headers currently capture the time when the build was made. As part of the reproducible builds project [1], it would be great if these timestamps could be made easily reproducible. Guillem Jover already expressed [2] that he preferred to keep these timestamps meaningful. The attached patches will set them to be the date of the latest changelog entry when a package is built using `dpkg-buildpackage`. During the discussions at DebConf14, there was a consensus that it was the most meaningful time reference to use. The first patch will modify `dpkg-deb` to use the same timestamp for every member of the ar archive. The second patch will: 1. Make `dpkg-deb` try to look for a timestamp to use in the DEB_BUILD_TIMESTAMP environment variable in epoch format. If not set or not parseable, it will default to use the current time. 2. Change `dpkg-buildpackage` to parse `debian/changelog` and preset DEB_BUILD_TIMESTAMP to the value of its latest entry. Unless DEB_BUILD_TIMESTAMP was already set in order to allow arbitrary dates to be reproduced. [1]: https://wiki.debian.org/ReproducibleBuilds [2]: https://bugs.debian.org/719844#10 -- Lunar .''`. [email protected] : :Ⓐ : # apt-get install anarchism `. `'` `-From fe1543722750a71ed7d7110291a917fc12bbc7ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Bobbio?= <[email protected]> Date: Tue, 27 Aug 2013 22:38:31 +0200 Subject: [PATCH 1/2] Use a single timestamp for ar headers when building a .deb In order to make build reproducible in the future, we now use a single timestamp in all ar headers when creating a .deb. Previously, each ar header would have the current time of its creation. This level of precision is not really needed and the time of the beginning of the build is good enough. --- dpkg-deb/build.c | 10 +++++++--- dpkg-split/split.c | 4 ++-- lib/dpkg/ar.c | 13 +++++++------ lib/dpkg/ar.h | 4 ++-- 4 files changed, 18 insertions(+), 13 deletions(-) diff --git a/dpkg-deb/build.c b/dpkg-deb/build.c index 0b9cfb6..5384776 100644 --- a/dpkg-deb/build.c +++ b/dpkg-deb/build.c @@ -38,6 +38,7 @@ #include <stdint.h> #include <stdlib.h> #include <stdio.h> +#include <time.h> #include <dpkg/i18n.h> #include <dpkg/dpkg.h> @@ -440,6 +441,7 @@ do_build(const char *const *argv) int arfd; int p1[2], p2[2], gzfd; pid_t c1, c2; + time_t build_timestamp; /* Decode our arguments. */ dir = *argv++; @@ -486,6 +488,8 @@ do_build(const char *const *argv) } m_output(stdout, _("<standard output>")); + build_timestamp = time(NULL); + /* Now that we have verified everything its time to actually * build something. Let's start by making the ar-wrapper. */ arfd = creat(debar, 0644); @@ -561,8 +565,8 @@ do_build(const char *const *argv) compressor_get_extension(control_compress_params.type)); dpkg_ar_put_magic(debar, arfd); - dpkg_ar_member_put_mem(debar, arfd, DEBMAGIC, deb_magic, strlen(deb_magic)); - dpkg_ar_member_put_file(debar, arfd, adminmember, gzfd, -1); + dpkg_ar_member_put_mem(debar, arfd, DEBMAGIC, deb_magic, build_timestamp, strlen(deb_magic)); + dpkg_ar_member_put_file(debar, arfd, adminmember, gzfd, build_timestamp, -1); } else { internerr("unknown deb format version %d.%d", deb_format.major, deb_format.minor); } @@ -632,7 +636,7 @@ do_build(const char *const *argv) if (lseek(gzfd, 0, SEEK_SET)) ohshite(_("failed to rewind temporary file (%s)"), _("data member")); - dpkg_ar_member_put_file(debar, arfd, datamember, gzfd, -1); + dpkg_ar_member_put_file(debar, arfd, datamember, gzfd, build_timestamp, -1); close(gzfd); } diff --git a/dpkg-split/split.c b/dpkg-split/split.c index 37cbb93..b2da62b 100644 --- a/dpkg-split/split.c +++ b/dpkg-split/split.c @@ -216,13 +216,13 @@ mksplit(const char *file_src, const char *prefix, off_t maxpartsize, (intmax_t)st.st_size, (intmax_t)partsize, curpart, nparts, arch); dpkg_ar_member_put_mem(file_dst.buf, fd_dst, PARTMAGIC, - partmagic.buf, partmagic.used); + partmagic.buf, time(NULL), partmagic.used); varbuf_reset(&partmagic); /* Write the data part. */ varbuf_printf(&partname, "data.%d", curpart); dpkg_ar_member_put_file(file_dst.buf, fd_dst, partname.buf, - fd_src, cur_partsize); + fd_src, time(NULL), cur_partsize); varbuf_reset(&partname); close(fd_dst); diff --git a/lib/dpkg/ar.c b/lib/dpkg/ar.c index cf540a0..8613310 100644 --- a/lib/dpkg/ar.c +++ b/lib/dpkg/ar.c @@ -36,11 +36,12 @@ #include <dpkg/ar.h> static void -dpkg_ar_member_init(struct dpkg_ar_member *member, const char *name, off_t size) +dpkg_ar_member_init(struct dpkg_ar_member *member, const char *name, + time_t timestamp, off_t size) { member->name = name; member->size = size; - member->time = time(NULL); + member->time = timestamp; member->mode = 0100644; member->uid = 0; member->gid = 0; @@ -124,11 +125,11 @@ dpkg_ar_member_put_header(const char *ar_name, int ar_fd, void dpkg_ar_member_put_mem(const char *ar_name, int ar_fd, - const char *name, const void *data, size_t size) + const char *name, const void *data, time_t timestamp, size_t size) { struct dpkg_ar_member member; - dpkg_ar_member_init(&member, name, size); + dpkg_ar_member_init(&member, name, timestamp, size); dpkg_ar_member_put_header(ar_name, ar_fd, &member); /* Copy data contents. */ @@ -142,7 +143,7 @@ dpkg_ar_member_put_mem(const char *ar_name, int ar_fd, void dpkg_ar_member_put_file(const char *ar_name, int ar_fd, - const char *name, int fd, off_t size) + const char *name, int fd, time_t timestamp, off_t size) { struct dpkg_error err; struct dpkg_ar_member member; @@ -155,7 +156,7 @@ dpkg_ar_member_put_file(const char *ar_name, int ar_fd, size = st.st_size; } - dpkg_ar_member_init(&member, name, size); + dpkg_ar_member_init(&member, name, timestamp, size); dpkg_ar_member_put_header(ar_name, ar_fd, &member); /* Copy data contents. */ diff --git a/lib/dpkg/ar.h b/lib/dpkg/ar.h index 81a061e..c1b8bed 100644 --- a/lib/dpkg/ar.h +++ b/lib/dpkg/ar.h @@ -59,9 +59,9 @@ void dpkg_ar_put_magic(const char *ar_name, int ar_fd); void dpkg_ar_member_put_header(const char *ar_name, int ar_fd, struct dpkg_ar_member *member); void dpkg_ar_member_put_file(const char *ar_name, int ar_fd, const char *name, - int fd, off_t size); + int fd, time_t timestamp, off_t size); void dpkg_ar_member_put_mem(const char *ar_name, int ar_fd, const char *name, - const void *data, size_t size); + const void *data, time_t timestamp, size_t size); off_t dpkg_ar_member_get_size(const char *ar_name, struct ar_hdr *arh); /** @} */ -- 1.7.10.4From 70c0817ca179aaeaa50e6c5808f3a9deb7aaefc2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Bobbio?= <[email protected]> Date: Tue, 27 Aug 2013 23:53:22 +0200 Subject: [PATCH 2/2] Preset build timestamp to date of the latest changelog entry dpkg-buildpackage will set the DEB_BUILD_TIMESTAMP environment variable to the date of the latest entry in debian/changelog. This enables build to be easily reproduced as the dates captured in the `.deb` archives will be deterministic. DEB_BUILD_TIMESTAMP can also be externaly set before running dpkg-buildpackage. to reproduce the build with an arbitrary date. --- dpkg-deb/build.c | 20 +++++++++++++++++++- scripts/dpkg-buildpackage.pl | 6 ++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/dpkg-deb/build.c b/dpkg-deb/build.c index 5384776..6ef3563 100644 --- a/dpkg-deb/build.c +++ b/dpkg-deb/build.c @@ -427,6 +427,24 @@ pkg_get_pathname(const char *dir, struct pkginfo *pkg) return path; } +static time_t +get_build_timestamp(void) +{ + time_t timestamp; + const char *value; + char *end; + + errno = 0; + value = getenv("DEB_BUILD_TIMESTAMP"); + if (!value) + return time(NULL); + + timestamp = strtol(value, &end, 10); + if (value == end || *end || errno != 0) + ohshite(_("unable to parse timestamp `%.255s'"), value); + return timestamp; +} + /** * Overly complex function that builds a .deb file. */ @@ -488,7 +506,7 @@ do_build(const char *const *argv) } m_output(stdout, _("<standard output>")); - build_timestamp = time(NULL); + build_timestamp = get_build_timestamp(); /* Now that we have verified everything its time to actually * build something. Let's start by making the ar-wrapper. */ diff --git a/scripts/dpkg-buildpackage.pl b/scripts/dpkg-buildpackage.pl index a5385ed..16975a1 100755 --- a/scripts/dpkg-buildpackage.pl +++ b/scripts/dpkg-buildpackage.pl @@ -409,6 +409,12 @@ if ($changedby) { $maintainer = mustsetvar($changelog->{maintainer}, _g('source changed by')); } +if (!$ENV{DEB_BUILD_TIMESTAMP}) { + my $timestamp = `date -d'$changelog->{date}' +%s`; + chomp $timestamp; + $ENV{DEB_BUILD_TIMESTAMP} = $timestamp; +} + open my $arch_env, '-|', 'dpkg-architecture', "-a$targetarch", "-t$targetgnusystem", '-f' or subprocerr('dpkg-architecture'); while ($_ = <$arch_env>) { -- 1.7.10.4
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Source: dpkg Source-Version: 1.18.8 We believe that the bug you reported is fixed in the latest version of dpkg, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guillem Jover <[email protected]> (supplier of updated dpkg package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 03 Jul 2016 19:01:56 +0200 Source: dpkg Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect Architecture: source Version: 1.18.8 Distribution: unstable Urgency: medium Maintainer: Dpkg Developers <[email protected]> Changed-By: Guillem Jover <[email protected]> Description: dpkg - Debian package management system dpkg-dev - Debian package development tools dselect - Debian package management front-end libdpkg-dev - Debian package management static library libdpkg-perl - Dpkg perl modules Closes: 539692 745366 759886 759999 765494 779559 823167 823805 823877 824515 824542 824572 824873 824938 826161 826334 827265 827628 827633 828146 Changes: dpkg (1.18.8) unstable; urgency=medium . [ Guillem Jover ] * Do not disable PIE buildflags on */kFreeBSD anymore. Closes: #823877 Thanks to Steven Chamberlain <[email protected]>. * Add new long options in dpkg-buildpackage for any short option that is a useful configurable candidate. * Add configuration file support to dpkg-buildpackage, as buildpackage.conf under either the dpkg system or user configuration directories. Closes: #539692, #765494 * Check that debian/tests/control is a regular file before parsing it. * Generate Testsuite-Triggers field from test dependencies in dpkg-source into .dsc files. Based on a patch by Martin Pitt <[email protected]>. Closes: #779559 * Add new dpkg-source --no-overwrite-dir extraction option. Closes: #826334 * Fix number of entries computation returned by sysctl() on */kFreeBSD in start-stop-daemon. * Set return buffer length for sysctl(2) calls on */kFreeBSD in start-stop-daemon. * Abstract ar archive handling behind a new struct dpkg_ar and functions. * On dpkg --force-chrootless only set changedir to instdir if defined. Thanks to Niall Walsh <[email protected]>. Closes: #824542 * Set primary group to 0 in dpkg when running as root. Reported by Stuart Prescott <[email protected]>. * Activate file triggers for conffiles on purge, which has never happened before. Before dpkg 1.17.0, conffiles were triggered on removal, which was obviously wrong. Reported by Helmut Grohne <[email protected]>. * Fix strtol() errno check when parsing the COLUMNS envvar in dpkg-query. Thanks to Sven Joachim <[email protected]>. Closes: #827265 * Use new GNU tar --clamp-mtime option in dpkg-deb to make sure no file in binary packages has an mtime later than the given time. Closes: #759886 * Use the same timestamp for the ar container as for tarball mtime clamping in dpkg-deb. * Set ar timestamp and tar mtime clamping to SOURCE_DATE_EPOCH if defined in dpkg-deb. Base on a patch by Jérémy Bobbio <[email protected]>. * Preset build timestamp to latest changelog entry in dpkg-buildpackage, by setting SOURCE_DATE_EPOCH environment variable if it is not already defined. Based on a patch by Jérémy Bobbio <[email protected]>. Closes: #759999 * Do not use the debian/rules build target fallback when building both architecture independent and dependent packages in dpkg-buipdpackage. * Use architecture «all» as part of the .changes filename when building architecture independent binaries and no architecture dependent binaries. Closes: #826161 * Do not emit warnings from dpkg-genchanges for automatic debug symbol packages that are not found in debian/control. * Export SOURCE_DATE_EPOCH from pkg-info.mk makefile snippet. Closes: #824572 * Architecture support: - Add TILE-Gx support to cputable. Closes: #823167 Thanks to Helmut Grohne <[email protected]>. * Perl modules: - Use warnings::warnif() instead of carp() for deprecated warnings. - Add new format_range() method and deprecate dpkg() and rfc822() methods in Dpkg::Changelog. - Replace changelog program parsers with perl modules. - Add a getter for the Time::Piece object in Dpkg::Changelog. - Add new Timestamp field to Dpkg::Changelog output, which ends up on dpkg-parsechangelog's output. - Validate source version in set_version_substvars()'s Dpkg::Substvars method. - Revert "Dpkg::Conf: Switch implementation to be hash based", as this change broke backwards compatibility in multiple ways. The format_argv option was set by default, the order was not preserved, which was important for dpkg.cfg files, and duplicate option names stopped being supported. Add regression tests to avoid similar changes in the future. Closes: #824938 - Add support for system and user config loading in Dpkg::Conf. - Add support for autopkgtest control files, with new CTRL_TESTS control type, new recognized fields to Dpkg::Control::Fields, and new modules Dpkg::Control::Tests and Dpkg::Control::Tests::Entry. Also update Dpkg::Index to support these. - Fix Dpkg::Deps so that architecture qualifiers only imply one another if they are the same. Closes: #745366, #827628 - Add support for new environment variable DEB_BUILD_PATH to be able to control the path in the fixdebugpath feature in Dpkg::Vendor::Debian. - Preserve order when prepending shared library paths in Dpkg::Shlibs. This fixes the order of paths passed via dpkg-shlibdeps -l option. Closes: #823805 - Check whether dependency restrictions are implied in Dpkg::Deps::Simple. Thanks to Ben Hutchings <[email protected]>. Closes: #827633 - Disable upstream tar signature when building format 1.0 source packages in Dpkg::Source::Package::V1, as the current stable dpkg series do not support extracting them. - Preset Last-Update field in patch header template with current time in Dpkg::Source::Package::V2. Thanks to Daniel Shahaf <[email protected]>. Closes: #828146 * Packaging: - Disable libmd usage in Debian and derivatives for now. * Build system: - Stop allowing to set deprecated bzip2 compressor as dpkg-deb default. - Use libmd automatically if available. - Uniformize library build options, from --with-zlib to --with-libz, --with-bz2 to --with-libbz2 and --with-selinux to --with-libselinux. * Test suite: - Bump perlcritic ValuesAndExpressions::RequireNumberSeparators minimum to 99999. - Add new pod-spell unit test. - Refactor common unit test checks for needed things into Test::Dpkg. - Accept perl's Lancaster Consensus AUTHOR_TESTING variable. - Add new minimum perl version unit test. - Add new synopsis unit test. - Add unit tests for dependency simplification with build profiles. * Documentation: - Improve dpkg-buildpackage(1) on environment expectations. - Clarify the format of the db:Status-Abbrev virtual field in dpkg-query(1). Closes: #824515 - Document the tar entry size limitation for deb(5) format. - Document interaction between PIE and libraries in dpkg-buildflags(1). Based on text by Christian Seiler <[email protected]>. - Merge ENVIRONMENT sections in dpkg-buildflags(1). - Document various long options in dpkg-source --help output. - Move dpkg-source -q option from “Build options” to “General options” section in --help output. - Clarify shared library search order in dpkg-shlibdeps(1). - Remove most remaining AUTHOR sections from man an POD, as they are strongly discouraged, for being redundant, tending to get out-of-sync, and their format being inconsistent. In addition most got already removed in the past for the man pages. - Mark perlcritic as an optional author test dependency in the README. - Fix example code in Dpkg::Compression::FileHandle SYNOPSIS. . [ Updated programs translations ] * German (Sven Joachim). * Simplified Chinese (Zhou Mo). Closes: #824873 . [ Updated scripts translations ] * German (Helge Kreutzmann). . [ Updated manpages translations ] * German (Helge Kreutzmann). Checksums-Sha1: 1976784ae227d550c4741ec17f4d747cf980cb48 2026 dpkg_1.18.8.dsc ecc3973037b85e6c7bc89928d7aa83ce6f13ec23 4633168 dpkg_1.18.8.tar.xz Checksums-Sha256: 965e50539d337897a74dd77ea9e66d2baec917ec6e089bc442320e7706abee5f 2026 dpkg_1.18.8.dsc 0b5562578a46d5c54fe77c262cd0a13ad13f4ff4bda8ccc285757ad37a3f65b7 4633168 dpkg_1.18.8.tar.xz Files: 14737307588416c1747e78fbb69f379f 2026 admin required dpkg_1.18.8.dsc 4729a5a9cd3755c0adf37e95e22f482e 4633168 admin required dpkg_1.18.8.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJXeXQCAAoJELlyvz6krlejIw8P/3dpr/kyAcHZtTyjiBIXeJSE aZK4U8kR1W5R4/CydUQdxd6kanbvJxx+9ceDlViev4ndtmTz3QvQdejN9Knjt8OU CZ4yPJhP5HHWE0kzI+sFhMeC6eK+ck2OD1U4Xthtkq/sKSEmowN7mJ64uvvScF5w XXreI3qWCywl6zdiXyu+M+O6PlRoTjSBXO3F0XKPNub7X9j1wNyfAFbzd3UGhEAc sBh5GMLIGjY+clmXjvbngNJhWszuV2TFcbIDDDZAi4axkE62hI99VQZfKWm+96ck fXpimwavrTc2fje+9lLMupQ7FIFWCHTUV/JKdDA4qc4S8THhC7qIoGsEl/Hhg+Gr 8LeDwaMuuOliubK3vCP1Ksk5B+pNM8hgJyQ2Cc88a9FZttSeTSG1EtjN3Wh1g1MS J1Ul3ZRJCzPwrgBGZXN7i9GGNxlh1JXGR/Bn4NZW1fLtOyfK16AKIC7erkQWAgan HknHiuwpDljb6SxDscFeXIsl14JTS13iA3SVSLdb7CrY/KCfrQwq6XbItCfXb2EN Ipg6aC5gIRJKfpq6FzJUztzBmkWFCeG5GqBZeKW0f5zct5W3tPWu7kazxjx0tg5J D9hPFFFuxxdPPq5fbweA1lZuV3saPLcFAfuUB7adoN1urOL5QUoZysdSPUVCZGoM mRF6sfICJS+WUQWoAibk =jAm3 -----END PGP SIGNATURE-----
--- End Message ---
