Bug#870890: apg; please make the build reproducible (timestamps)
Hi. I have rewrited the apg patch using SOURCE_DATE_EPOCH variable. The attached patch clamps the timestamps to the changelog timestamp when creating the source archive using using SOURCE_DATE_EPOCH variable. Once applied, apg can be built reproducibly in our current experimental framework. Cheers. Jathan -- Por favor evita enviarme adjuntos en formato de word o powerpoint, si quieres saber porque lee esto: http://www.gnu.org/philosophy/no-word-attachments.es.html ¡Cámbiate a GNU/Linux! http://getgnulinux.org/es diff -Nru apg-2.2.3.dfsg.1/debian/changelog apg-2.2.3.dfsg.1/debian/changelog --- apg-2.2.3.dfsg.1/debian/changelog 2016-08-05 05:04:46.0 -0500 +++ apg-2.2.3.dfsg.1/debian/changelog 2017-10-01 20:52:02.0 -0500 @@ -1,3 +1,10 @@ +apg (2.2.3.dfsg.1-4.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Fix timestamps_in_tarball reproducible build issue. + + -- Jonathan Bustillos Sun, 01 Oct 2017 20:52:02 -0500 + apg (2.2.3.dfsg.1-4) unstable; urgency=low * add patch from Steve Langasek to use correct compiler (Closes: #734870) diff -Nru apg-2.2.3.dfsg.1/debian/rules apg-2.2.3.dfsg.1/debian/rules --- apg-2.2.3.dfsg.1/debian/rules 2016-08-05 05:04:46.0 -0500 +++ apg-2.2.3.dfsg.1/debian/rules 2017-10-01 20:51:27.0 -0500 @@ -1,5 +1,6 @@ #!/usr/bin/make -f +SOURCE_DATE_EPOCH ?= $(shell dpkg-parsechangelog -STimestamp) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) @@ -19,6 +20,7 @@ make install INSTALL_PREFIX=$(CURDIR)/debian/apg/usr mv $(CURDIR)/debian/apg/usr/bin/apg $(CURDIR)/debian/apg/usr/lib/apg/apg tar --create --file - --directory $(CURDIR)/php/apgonline/ . \ + --clamp-mtime --mtime="$(SOURCE_DATE_EPOCH)" \ --mode=u=rwX,go=rX --sort=name | gzip --no-name > php.tar.gz install -D --mode=0644 php.tar.gz $(CURDIR)/debian/apg/usr/share/doc/apg/php.tar.gz rm php.tar.gz signature.asc Description: OpenPGP digital signature
Bug#870890: apg; please make the build reproducible (timestamps)
On 2017-08-05, jathan wrote: > diff -Nru apg-2.2.3.dfsg.1/debian/changelog apg-2.2.3.dfsg.1/debian/changelog > --- apg-2.2.3.dfsg.1/debian/changelog 2016-08-05 05:04:46.0 -0500 > +++ apg-2.2.3.dfsg.1/debian/changelog 2017-08-05 20:52:19.0 -0500 > @@ -1,3 +1,10 @@ > +apg (2.2.3.dfsg.1-4.1) UNRELEASED; urgency=medium > + > + * Non-maintainer upload. > + * Fix timestamps_in_tarball reproducible build issue. > + > + -- Jonathan Bustillos Sat, 05 Aug 2017 > 20:52:19 -0500 > + > apg (2.2.3.dfsg.1-4) unstable; urgency=low > >* add patch from Steve Langasek to use correct compiler (Closes: #734870) > diff -Nru apg-2.2.3.dfsg.1/debian/rules apg-2.2.3.dfsg.1/debian/rules > --- apg-2.2.3.dfsg.1/debian/rules 2016-08-05 05:04:46.0 -0500 > +++ apg-2.2.3.dfsg.1/debian/rules 2017-08-05 20:49:26.0 -0500 > @@ -1,5 +1,6 @@ > #!/usr/bin/make -f > > +SOURCE_DATE := $(shell dpkg-parsechangelog --show-field=Date) > DEB_HOST_GNU_TYPE?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) > DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) > > @@ -19,6 +20,7 @@ > make install INSTALL_PREFIX=$(CURDIR)/debian/apg/usr > mv $(CURDIR)/debian/apg/usr/bin/apg $(CURDIR)/debian/apg/usr/lib/apg/apg > tar --create --file - --directory $(CURDIR)/php/apgonline/ . \ > + --clamp-mtime --mtime="$(SOURCE_DATE)" \ > --mode=u=rwX,go=rX --sort=name | gzip --no-name > php.tar.gz > install -D --mode=0644 php.tar.gz > $(CURDIR)/debian/apg/usr/share/doc/apg/php.tar.gz > rm php.tar.gz Is it feasible to rewrite the patch using SOURCE_DATE_EPOCH, rather than a custom variable name? https://reproducible-builds.org/specs/source-date-epoch/ live well, vagrant signature.asc Description: PGP signature
Bug#870890: apg; please make the build reproducible (timestamps)
Source: apg Version: 2.2.3.dfsg.1-4 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi! While working on the “reproducible builds” effort [1], we have noticed that apg could not be built reproducibly. The attached patch clamps the timestamps to the changelog timestamp when creating the source archive. Once applied, apg can be built reproducibly in our current experimental framework. [1]: https://wiki.debian.org/ReproducibleBuilds -- Por favor evita enviarme adjuntos en formato de word o powerpoint, si quieres saber porque lee esto: http://www.gnu.org/philosophy/no-word-attachments.es.html ¡Cámbiate a GNU/Linux! http://getgnulinux.org/es diff -Nru apg-2.2.3.dfsg.1/debian/changelog apg-2.2.3.dfsg.1/debian/changelog --- apg-2.2.3.dfsg.1/debian/changelog 2016-08-05 05:04:46.0 -0500 +++ apg-2.2.3.dfsg.1/debian/changelog 2017-08-05 20:52:19.0 -0500 @@ -1,3 +1,10 @@ +apg (2.2.3.dfsg.1-4.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Fix timestamps_in_tarball reproducible build issue. + + -- Jonathan Bustillos Sat, 05 Aug 2017 20:52:19 -0500 + apg (2.2.3.dfsg.1-4) unstable; urgency=low * add patch from Steve Langasek to use correct compiler (Closes: #734870) diff -Nru apg-2.2.3.dfsg.1/debian/rules apg-2.2.3.dfsg.1/debian/rules --- apg-2.2.3.dfsg.1/debian/rules 2016-08-05 05:04:46.0 -0500 +++ apg-2.2.3.dfsg.1/debian/rules 2017-08-05 20:49:26.0 -0500 @@ -1,5 +1,6 @@ #!/usr/bin/make -f +SOURCE_DATE := $(shell dpkg-parsechangelog --show-field=Date) DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) @@ -19,6 +20,7 @@ make install INSTALL_PREFIX=$(CURDIR)/debian/apg/usr mv $(CURDIR)/debian/apg/usr/bin/apg $(CURDIR)/debian/apg/usr/lib/apg/apg tar --create --file - --directory $(CURDIR)/php/apgonline/ . \ + --clamp-mtime --mtime="$(SOURCE_DATE)" \ --mode=u=rwX,go=rX --sort=name | gzip --no-name > php.tar.gz install -D --mode=0644 php.tar.gz $(CURDIR)/debian/apg/usr/share/doc/apg/php.tar.gz rm php.tar.gz signature.asc Description: OpenPGP digital signature