Hi James, On Mon, Jun 8, 2015 at 5:51 PM, James Lu <glol...@hotmail.com> wrote: > Hi Vincent, > > I've removed bzr from the build dependencies. > > After fiddling with the get-orig-source a bit, I realized that I can't get > the same checksum either when running it multiple times. According to a > 'diff' of 'tar -tvf' output, the only difference between these generated > tarballs was the source files' timestamps. This is probably because bzr is > used to fetch the sources every time get-orig-source is ran, and it saves > the current time (of checkout) as the timestamp of the files, instead of the > code's modification date. For this, there appears to be a wishlist bug > filed: https://bugs.launchpad.net/bzr/+bug/245170
The reproducible builds team has a list of suggested workarounds for various causes of non-reproducibility, one of which is timestamps in generated tarballs. See [1] for a fairly simple way of making your get-orig-source target reproducible. Regards, Vincent [1] https://wiki.debian.org/ReproducibleBuilds/TimestampsInTarball -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
