reproducible.debian.net status changes for svgsalamander

[Reproducible builds folks]

2017-04-11 09:15 
https://tests.reproducible-builds.org/debian/unstable/amd64/svgsalamander 
changed from reproducible -> unreproducible

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#858876: libjna-jni: causes NoClassDefFoundError

[Markus Koschany]

Am 11.04.2017 um 22:33 schrieb Emmanuel Bourg:
> On 04/11/2017 08:12 PM, Markus Koschany wrote:
> 
>> This issue could be resolved by changing the libary name to
>> jnidispatch.system in Netbeans. However I don't understand why we had to
>> change the name in the first place.
> 
> Actually Netbeans shouldn't have to specify the library name at all.
> libjna-java has been patched to use the system library by default, so
> any package using it has no need to fiddle with the library loading
> mechanism.

I'm sure the upstream developers of Netbeans are all ears for your
proposal. They had set the jna.boot.library.name property to
jnidispatch-410, so I had to change it to jnidispatch to get it working
with Debian's system jar. [1]


>> In my opinion LP #1065253 is not a bug because Debian's system JNA works
>> as expected and for custom projects you just have to set
>> -Djna.nosys=true. We can't provide multiple versions of JNA due to the
>> usual reasons (code duplication, security impact).
> 
> The point of LP #1065253 is that our JNA library gets in the way of
> third party applications using their own incompatible version of JNA. We
> can't expect users to understand and fix this on their own by tweaking
> the invocation parameters.

I beg to differ. I think we should expect that people read the
documentation. I think we are mainly responsible to ensure that all
packages in Debian are working well together. It is nearly impossible to
cover all use cases especially if you take customized local user
packages into account. In this special case there is even a recommended
way,-Djna.nosys=true, to get local packages working, thus there is
actually no reason to patch JNA.

>> Ways to resolve this bug
>>
>> a) Revert the fix for LP #1065253
>> b) Reassign to Netbeans and rename the library name in
>> netbeans-platform-nojnabinaries.patch
> 
> I think this is a netbeans issue, netbeans-platform-nojnabinaries.patch
> should be changed such that the jna.boot.library.name property is no
> longer set. This will use the default library wired in libjna-java.

Yes, I could try to remove the jna.boot.library.name property completely
from Netbeans or more precisely libnb-platforms-java which is actually
the package in use here. However it doesn't feel right to me to diverge
from upstream JNA and other distributions if we don't have to.

I just checked Fedora and they don't rename the library name. They seem
to enforce the system library under all circumstances instead. Is this
something we could use in Debian too? [2]

Markus

[1]
https://anonscm.debian.org/cgit/pkg-java/netbeans.git/tree/debian/patches/netbeans-platform-nojnabinaries.patch
[2]
http://pkgs.fedoraproject.org/cgit/rpms/jna.git/tree/0002-Load-system-library.patch



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

bouncycastle_1.49+dfsg-3+deb8u2_amd64.changes ACCEPTED into proposed-updates->stable-new

[Debian FTP Masters]

Mapping stable-security to proposed-updates.

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Mon, 10 Apr 2017 20:44:53 +0200
Source: bouncycastle
Binary: libbcprov-java libbcprov-java-doc libbcmail-java libbcmail-java-doc 
libbcpkix-java libbcpkix-java-doc libbcpg-java libbcpg-java-doc
Architecture: source all
Version: 1.49+dfsg-3+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 libbcmail-java - Bouncy Castle generators/processors for S/MIME and CMS
 libbcmail-java-doc - Bouncy Castle generators/processors for S/MIME and CMS 
(Documenta
 libbcpg-java - Bouncy Castle generators/processors for OpenPGP
 libbcpg-java-doc - Bouncy Castle generators/processors for OpenPGP 
(Documentation)
 libbcpkix-java - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS, OCSP, 
CMP,
 libbcpkix-java-doc - Bouncy Castle Java API for PKIX, CMS, EAC, TSP, PKCS... 
(Document
 libbcprov-java - Bouncy Castle Java Cryptographic Service Provider
 libbcprov-java-doc - Bouncy Castle Java Cryptographic Service Provider 
(Documentation)
Changes:
 bouncycastle (1.49+dfsg-3+deb8u2) jessie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2015-6644:
 An information disclosure vulnerability was discovered in Bouncy Castle, a
 Java library which consists of various cryptographic algorithms. The
 Galois/Counter mode (GCM) implementation was missing a boundary check that
 could enable a local application to gain access to user's private
 information.
Checksums-Sha1:
 badffcd5d7fc1d6623166aa5d57f9a0be6c50335 2759 
bouncycastle_1.49+dfsg-3+deb8u2.dsc
 c66140eea718b8a8c0616a3350c9385485bb65a5 21448 
bouncycastle_1.49+dfsg-3+deb8u2.debian.tar.xz
 e5e32b784a11867463cf488b45bfba4acd8a7882 2002090 
libbcprov-java_1.49+dfsg-3+deb8u2_all.deb
 e60bf6ff6f15a5c9f1d8cf9eb1baf8674eacdef1 80390 
libbcprov-java-doc_1.49+dfsg-3+deb8u2_all.deb
 0ca3578ba329d9d5914d1d56247e1e60f73b4766 115874 
libbcmail-java_1.49+dfsg-3+deb8u2_all.deb
 4fc31f482262ee2aad0b958ea39a4f3404173f71 97380 
libbcmail-java-doc_1.49+dfsg-3+deb8u2_all.deb
 b7bc83df8449e004817d2f076eb6a5071de857ad 532720 
libbcpkix-java_1.49+dfsg-3+deb8u2_all.deb
 25dab5af5799364b8212a77561532005150def48 324578 
libbcpkix-java-doc_1.49+dfsg-3+deb8u2_all.deb
 c279b63d64230d35fe8edb0e3119253f76aaef0f 234002 
libbcpg-java_1.49+dfsg-3+deb8u2_all.deb
 62e421e39619bd6d6e2b8557a9d7c9a16e5840da 34790 
libbcpg-java-doc_1.49+dfsg-3+deb8u2_all.deb
Checksums-Sha256:
 84d2f83eda06a142aae39f3030dfc563a9f02729e64754fbb0349852399ab8d9 2759 
bouncycastle_1.49+dfsg-3+deb8u2.dsc
 a3e7418968690ea10f3c8a1bd29145a2f259e4703db7d717e607013ac456785c 21448 
bouncycastle_1.49+dfsg-3+deb8u2.debian.tar.xz
 3b312287fd83961cbeaaf26a8f6e281f1d9d1e00bfcc93a0b6405e6c4bc31cf5 2002090 
libbcprov-java_1.49+dfsg-3+deb8u2_all.deb
 29ce383182c72612d215f887fdd3a8495c1f7cdb32196c72b922e7d2b2f11ef1 80390 
libbcprov-java-doc_1.49+dfsg-3+deb8u2_all.deb
 e6fbc5464c88f1f524b5cf69237e44a0e5b20af6c6832408a02bcec9ac801463 115874 
libbcmail-java_1.49+dfsg-3+deb8u2_all.deb
 0a231d29d815c212ca338b7dc4127efd9b1f381ca28db3656dd801a151149063 97380 
libbcmail-java-doc_1.49+dfsg-3+deb8u2_all.deb
 b2e7690bc6815cadd0d98540e3c02e967c059df835f08d4a5932f3cecd93fbab 532720 
libbcpkix-java_1.49+dfsg-3+deb8u2_all.deb
 bc3b0c83fe5f6872e6d69b7e383a9470b10a2b76f2fb60ab166299af51286b4c 324578 
libbcpkix-java-doc_1.49+dfsg-3+deb8u2_all.deb
 31281903114fba7db2d3f5a1b5ed672f02af9ef94654b80d8b2a0a1cc4d9d86b 234002 
libbcpg-java_1.49+dfsg-3+deb8u2_all.deb
 b6f3679808539bbe4a94d61811a3c6aeae258aad68cbd9656811d932d3526035 34790 
libbcpg-java-doc_1.49+dfsg-3+deb8u2_all.deb
Files:
 f1effbdf210cbebaaa48cf08e2b5f229 2759 java optional 
bouncycastle_1.49+dfsg-3+deb8u2.dsc
 bdc302bc695823864a9acaef46bdb4f8 21448 java optional 
bouncycastle_1.49+dfsg-3+deb8u2.debian.tar.xz
 758e1ef7d0b0fe285d4f76a54852d0ea 2002090 java optional 
libbcprov-java_1.49+dfsg-3+deb8u2_all.deb
 1f65fda81b6f1bef712c9cc1f8d05f74 80390 doc optional 
libbcprov-java-doc_1.49+dfsg-3+deb8u2_all.deb
 56c1034a353226807a709024cd8f778c 115874 java optional 
libbcmail-java_1.49+dfsg-3+deb8u2_all.deb
 5c023839e5d4691add5388c7d110d9de 97380 doc optional 
libbcmail-java-doc_1.49+dfsg-3+deb8u2_all.deb
 ada5c1c52b9ac21f39d86ae384a3bb8d 532720 java optional 
libbcpkix-java_1.49+dfsg-3+deb8u2_all.deb
 0181bd0687950620315ad05e54ceab54 324578 doc optional 
libbcpkix-java-doc_1.49+dfsg-3+deb8u2_all.deb
 5948436ed8d7f30bd7275e9216c19399 234002 java optional 
libbcpg-java_1.49+dfsg-3+deb8u2_all.deb
 d58d297b24f714a5d638ac78fc1c1b8c 34790 doc optional 
libbcpg-java-doc_1.49+dfsg-3+deb8u2_all.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAljr8RJfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hkf00P/Aj3cnH3P6dfXN2aTaMHteZyEukkfqgyXhCI
Qqf7Hh1ICZ4M2TenO

Processing of bouncycastle_1.49+dfsg-3+deb8u2_amd64.changes

[Debian FTP Masters]

bouncycastle_1.49+dfsg-3+deb8u2_amd64.changes uploaded successfully to localhost
along with the files:
  bouncycastle_1.49+dfsg-3+deb8u2.dsc
  bouncycastle_1.49+dfsg-3+deb8u2.debian.tar.xz
  libbcprov-java_1.49+dfsg-3+deb8u2_all.deb
  libbcprov-java-doc_1.49+dfsg-3+deb8u2_all.deb
  libbcmail-java_1.49+dfsg-3+deb8u2_all.deb
  libbcmail-java-doc_1.49+dfsg-3+deb8u2_all.deb
  libbcpkix-java_1.49+dfsg-3+deb8u2_all.deb
  libbcpkix-java-doc_1.49+dfsg-3+deb8u2_all.deb
  libbcpg-java_1.49+dfsg-3+deb8u2_all.deb
  libbcpg-java-doc_1.49+dfsg-3+deb8u2_all.deb

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#858876: libjna-jni: causes NoClassDefFoundError

[Emmanuel Bourg]

On 04/11/2017 08:12 PM, Markus Koschany wrote:

> This issue could be resolved by changing the libary name to
> jnidispatch.system in Netbeans. However I don't understand why we had to
> change the name in the first place.

Actually Netbeans shouldn't have to specify the library name at all.
libjna-java has been patched to use the system library by default, so
any package using it has no need to fiddle with the library loading
mechanism.


> In my opinion LP #1065253 is not a bug because Debian's system JNA works
> as expected and for custom projects you just have to set
> -Djna.nosys=true. We can't provide multiple versions of JNA due to the
> usual reasons (code duplication, security impact).

The point of LP #1065253 is that our JNA library gets in the way of
third party applications using their own incompatible version of JNA. We
can't expect users to understand and fix this on their own by tweaking
the invocation parameters.


> Ways to resolve this bug
> 
> a) Revert the fix for LP #1065253
> b) Reassign to Netbeans and rename the library name in
> netbeans-platform-nojnabinaries.patch

I think this is a netbeans issue, netbeans-platform-nojnabinaries.patch
should be changed such that the jna.boot.library.name property is no
longer set. This will use the default library wired in libjna-java.

Emmanuel Bourg



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#858876: libjna-jni: causes NoClassDefFoundError

[Markus Koschany]

On Sun, 09 Apr 2017 08:13:00 + Niels Thykier  wrote:
[...]
> Any update on this? This bug is one of the last ~60 RC bugs in key
> packages for the stretch release. :)

Hi,

I had a look at this issue. If we introduce the symlink
libjnidispatch.so -> libjnidispatch.system.so in /usr/lib/$MULTIARCH we
could indeed work around this bug which however exists because

a) Netbeans had to be patched to use Debian's system JNA files instead
of the embedded ones (see the netbeans-platform-nojnabinaries.patch),

and b) because of the fix for LP #1065253 [1].

This issue could be resolved by changing the libary name to
jnidispatch.system in Netbeans. However I don't understand why we had to
change the name in the first place. According to the Ubuntu bug the bug
submitter tried to build a local Jenkins plugin but our system JNA
library and the custom local project didn't work well together. He also
came up with the correct solution for his problem: to pass
-DargLine="-Djna.nosys=true" to Maven.

In my opinion LP #1065253 is not a bug because Debian's system JNA works
as expected and for custom projects you just have to set
-Djna.nosys=true. We can't provide multiple versions of JNA due to the
usual reasons (code duplication, security impact).

Ways to resolve this bug

a) Revert the fix for LP #1065253
b) Reassign to Netbeans and rename the library name in
netbeans-platform-nojnabinaries.patch

I tend to implement option a) because I think Debian should not diverge
from upstream in this case and user's should adjust their custom
projects as needed if Debian's system version is not compatible.

Regards,

Markus


[1] https://bugs.launchpad.net/ubuntu/+source/libjna-java/+bug/1065253



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

[Markus Koschany]

Am 11.04.2017 um 17:44 schrieb Salvatore Bonaccorso:
[...]
>> I suggest to use the found/fixed tags as
>> needed.
> 
> NB: Which is exactly what I did (see the different found versions), to
> track correctly the version as well in BTS. But now it would treat
> e.g.  CVE-2017-5650 as well as found in 8.0.14-1 which is not true.
> 
> Anyway, thanks a lot for taking care of those CVEs and fixing them!
> 
> Regards,
> Salvatore

I appreciate that you already did an assessment which version is
affected or not. However I find it simpler to report all newly found
vulnerabilities with one bug report and then let the maintainer evaluate
the situation and act on the bug report as needed. Moritz does this a
lot when he reports CVEs. Your approach makes totally sense too but
since we have the security tracker with all those information, you have
already marked two CVEs as fixed in Jessie, it's not necessarily
imperative.

By the way we also have many CVEs with no Debian bug report and users
just have to rely on the security tracker for further information. In
fact we want them to use it and the bug reports are more a heads-up for
maintainers.

Of course this is just my stubborn opinion, it's not easy to please
everybody. Others will surely want that you report all those dozens of
CVEs for package X separately...

Regards,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

[Salvatore Bonaccorso]

Hi,

On Tue, Apr 11, 2017 at 05:24:25PM +0200, Markus Koschany wrote:
> Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso:
> > Hi Markus,
> > 
> > On Tue, Apr 11, 2017 at 02:18:14PM +, Debian Bug Tracking System wrote:
> >> Processing control commands:
> >>
> >>> merge 860068 860069 860070 860071
> >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> >> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
> >> Marked as found in versions tomcat8/8.5.11-1.
> >> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> >> Marked as found in versions tomcat8/8.5.11-1.
> >> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
> >> Marked as found in versions tomcat8/8.0.14-1.
> >> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
> >> Marked as found in versions tomcat8/8.0.14-1.
> >> Merged 860068 860069 860070 860071
> > 
> > Why the merge? I was a exlicit choice to open 4 bugs due to the
> > different CVE's and different affected versions (note that two affect
> > 8.0.14-1 and two only 8.5.11-1 but not the version in jessie).
> 
> Hi,
> 
[...]
> I suggest to use the found/fixed tags as
> needed.

NB: Which is exactly what I did (see the different found versions), to
track correctly the version as well in BTS. But now it would treat
e.g.  CVE-2017-5650 as well as found in 8.0.14-1 which is not true.

Anyway, thanks a lot for taking care of those CVEs and fixing them!

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#860068: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

[Markus Koschany]

Am 11.04.2017 um 17:18 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Tue, Apr 11, 2017 at 02:18:14PM +, Debian Bug Tracking System wrote:
>> Processing control commands:
>>
>>> merge 860068 860069 860070 860071
>> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
>> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
>> Marked as found in versions tomcat8/8.5.11-1.
>> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
>> Marked as found in versions tomcat8/8.5.11-1.
>> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
>> Marked as found in versions tomcat8/8.0.14-1.
>> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
>> Marked as found in versions tomcat8/8.0.14-1.
>> Merged 860068 860069 860070 860071
> 
> Why the merge? I was a exlicit choice to open 4 bugs due to the
> different CVE's and different affected versions (note that two affect
> 8.0.14-1 and two only 8.5.11-1 but not the version in jessie).

Hi,

please combine CVEs for (Java) packages because single bug reports just
create more noise on the list and in the end we make one upload to
address all of them together. I suggest to use the found/fixed tags as
needed.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Re: Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

[Salvatore Bonaccorso]

Hi Markus,

On Tue, Apr 11, 2017 at 02:18:14PM +, Debian Bug Tracking System wrote:
> Processing control commands:
> 
> > merge 860068 860069 860070 860071
> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
> Marked as found in versions tomcat8/8.5.11-1.
> Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
> Marked as found in versions tomcat8/8.5.11-1.
> Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
> Marked as found in versions tomcat8/8.0.14-1.
> Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
> Marked as found in versions tomcat8/8.0.14-1.
> Merged 860068 860069 860070 860071

Why the merge? I was a exlicit choice to open 4 bugs due to the
different CVE's and different affected versions (note that two affect
8.0.14-1 and two only 8.5.11-1 but not the version in jessie).

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#860068: tomcat8: CVE-2017-5647

[Debian Bug Tracking System]

Processing control commands:

> merge 860068 860069 860070 860071
Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
Marked as found in versions tomcat8/8.5.11-1.
Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
Marked as found in versions tomcat8/8.5.11-1.
Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
Marked as found in versions tomcat8/8.0.14-1.
Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
Marked as found in versions tomcat8/8.0.14-1.
Merged 860068 860069 860070 860071
> owner 860068 !
Bug #860068 [src:tomcat8] tomcat8: CVE-2017-5647
Bug #860069 [src:tomcat8] tomcat8: CVE-2017-5648
Bug #860070 [src:tomcat8] tomcat8: CVE-2017-5650
Bug #860071 [src:tomcat8] tomcat8: CVE-2017-5651
Owner recorded as Markus Koschany .
Owner recorded as Markus Koschany .
Owner recorded as Markus Koschany .
Owner recorded as Markus Koschany .

-- 
860068: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860068
860069: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860069
860070: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860070
860071: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860071
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#860068: tomcat8: CVE-2017-5647

[Markus Koschany]

Control: merge 860068 860069 860070 860071
Control: owner 860068 !

I will take care of these CVEs. To reduce the noise on the list I'm
going to merge all four reports into one.

Markus



signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#859973: marked as done (jython: please make the javadoc build reproducible)

[Debian Bug Tracking System]

Your message dated Tue, 11 Apr 2017 13:59:45 +0100
with message-id <20170411125945.gb19...@blind.goeswhere.com>
and subject line jython: doesn't actually have timestamps in javadoc
has caused the Debian Bug report #859973,
regarding jython: please make the javadoc build reproducible
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
859973: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=859973
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jython
Version: 2.5.3-16
User: reproducible-bui...@lists.alioth.debian.org
Usertags: timestamps
Priority: wishlist

The javadoc in jython contains timestamps, which prevent the
package from building reproducibly. Please pass the -notimestamp
argument to javadoc. This can be done by adding:



..to the "javadocs" https://sources.debian.net/src/jython/2.5.3-16/build.xml/#L756

https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/jython.html

Cheers.
--- End Message ---
--- Begin Message ---
Okay, my bad. You're right, there aren't timestamps in the javadoc here.
I'm pretty sure I double checked this. I wonder what I was looking at.

I'll raise different bugs if and when I get around to the other issues.

Sorry!--- End Message ---
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.