On 2023-08-09 22:10 +0200, Johannes Schauer Marin Rodrigues wrote:
> it has been a long time since I've analyzed this so things might've changed
> indeed since then. But what I remember is that, depending on the source
> package, running sbuild with --source would produce a different source package
> than was originally passed to sbuild. I tried running this on a few source
> packages to see if I can reproduce this problem today:
>
> sbuild --source --arch-all --arch-any -d unstable --no-run-lintian \
> --no-run-autopkgtest \
> --starting-build-commands='grep -E "^ [a-f0-9]{64} " *_*.dsc >
> before' \
> --finished-build-commands='grep -E "^ [a-f0-9]{64} " *_*.dsc | diff
> -u before -'
>
> Which prints for src:hello this:
>
> --- before 2023-08-09 19:46:05.092628335 +0000
> +++ - 2023-08-09 19:46:25.873292249 +0000
> @@ -1,3 +1,3 @@
> 31e066137a962676e89f69d1b65382de95a7ef7d914b8cb956f41ea72e0f516b
> 725946 hello_2.10.orig.tar.gz
> 4ea69de913428a4034d30dcdcb34ab84f5c4a76acf9040f3091f0d3fac411b60 819
> hello_2.10.orig.tar.gz.asc
> - 60ee7a466808301fbaa7fea2490b5e7a6d86f598956fb3e79c71b3295dc1f249
> 12684 hello_2.10-3.debian.tar.xz
> + 84b14a8c49f9bca8d6c7a5550fed71790e147576c8eb716b2afbd49df4d5a7a9
> 12692 hello_2.10-3.debian.tar.xz
>
>
> I ran diffoscope on the differing debian.tar.xz files and got:
>
> --- ../hello_2.10-3.debian.tar.xz.bak
> +++ ../hello_2.10-3.debian.tar.xz
> │┄ Format-specific differences are supported for XZ compressed files
> but no file-specific differences were detected; falling back to a binary
> diff. file(1) reports: XZ compressed data, checksum CRC64
>
> I suspect that different versions of xz produce differently compressed
> archives?
Not really, actually different versions of dpkg-source produce them.
The xz manpage notes that the single-threaded and multi-threaded
compressors produce different output, and dpkg 1.21.14 switched from
single-threaded to multi-threaded compression. The hello package was
uploaded to the archive before the dpkg 1.21.14 release.
The uploader can also change the compression level with the -z option,
after which you might not be able to reproduce their debian.tar.xz so
easily.
Cheers,
Sven
