This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch master in repository dpkg.
commit d959233560317459336d39197f515c2042472762 Author: Guillem Jover <[email protected]> Date: Sun Jul 17 18:54:18 2016 +0200 Dpkg::Source::Archive: Add support for reproducible source packages Clamp the mtime of the source files when building the tarball to the first defined value from the source_date option, SOURCE_DATE_EPOCH environment variable or time(). This makes sure the generated source tarballs always contain the same mtime for files or directories that have been modified during the build. --- debian/changelog | 3 +++ debian/control | 7 ++++++- scripts/Dpkg/Source/Archive.pm | 5 ++++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index 297c9ff..0267379 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,6 +9,9 @@ dpkg (1.18.10) UNRELEASED; urgency=medium Regression introduced in dpkg 1.18.8. Closes: #830267 * Perl modules: - Disable fixdebugpath feature on unsafe characters in the path. + - Generate reproducible source tarballs by using the new GNU tar + --clamp-mtime option in Dpkg::Source::Archive, to make sure no file + in source packages has an mtime later than the changelog entry time. * Documentation: - Document Testsuite-Triggers in dsc(5). - Fix deb-changes(5) description to talk about .changes instead of .dsc. diff --git a/debian/control b/debian/control index b2b322c..c29e07c 100644 --- a/debian/control +++ b/debian/control @@ -50,7 +50,12 @@ Section: utils Priority: optional Architecture: all Multi-Arch: foreign -Depends: libdpkg-perl (= ${source:Version}), bzip2, xz-utils, +Depends: + libdpkg-perl (= ${source:Version}), +# Needed for --clamp-mtime. + tar (>= 1.28-1), + bzip2, + xz-utils, patch (>= 2.7), make, binutils, base-files (>= 5.0.0), ${misc:Depends} Recommends: gcc | c-compiler, build-essential, fakeroot, gnupg | gnupg2, gpgv | gpgv2, libalgorithm-merge-perl diff --git a/scripts/Dpkg/Source/Archive.pm b/scripts/Dpkg/Source/Archive.pm index 0490fc7..3810f4e 100644 --- a/scripts/Dpkg/Source/Archive.pm +++ b/scripts/Dpkg/Source/Archive.pm @@ -46,9 +46,12 @@ sub create { $self->ensure_open('w'); $spawn_opts{to_handle} = $self->get_filehandle(); $spawn_opts{from_pipe} = \*$self->{tar_input}; + # Try to use a deterministic mtime. + my $mtime = $opts{source_date} // $ENV{SOURCE_DATE_EPOCH} // time; # Call tar creation process $spawn_opts{delete_env} = [ 'TAR_OPTIONS' ]; - $spawn_opts{exec} = [ 'tar', '-cf', '-', '--format=gnu', '--null', + $spawn_opts{exec} = [ 'tar', '-cf', '-', '--format=gnu', + '--mtime', "\@$mtime", '--clamp-mtime', '--null', '--numeric-owner', '--owner=0', '--group=0', @{$opts{options}}, '-T', '-' ]; *$self->{pid} = spawn(%spawn_opts); -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/dpkg/dpkg.git
