Re: [Reproducible-builds] Bug#762397: libgpg-error: please do not capture the current time during the build process
Jeroen Dekkers: > > PPS: If we start bikeshedding on every patch, there's not even the > > slightest chance we will get to the point where build reproducibility is > > actually a Debian feature. We need to trust maintainers to do the right > > things. > > I definitely don't want to bikeshed about every patch, but I think > it's a good idea to discuss what is the best way to fix this class of > bugs, because we are going to have to fix this in a lot more places. I > remember from the DC13 bof that it was proposed to have > dpkg-buildpackage export the locale, so my thought was, instead of > having to do this in the debian/rules of every package that needs it, > why not have dpkg-buildpackage export the changelog timestamp? It seems it makes maintainers unhappy when calling `debian/rules build` and `dpkg-buildpackage` produce different results. (Note that I'm mentioning the “build” target here.) That's why I tend to think relying on something exported by `dpkg-buildpackage` is tricky. One other concern for now is that Guillem has not commented on #75. So it's unclear to me if DEB_BUILD_TIMESTAMP is going to stay in the future. > And even if we put it in debian/rules, I think it's a good idea to > standardize on the environment name we use for this. Is there really something generic enough to be applied to all packages? For lsof (see #762433), the code already supported LSOF_CCDATE (which contained the timestamp of the build) being an empty string. So it felt proper to just modify the configure script to be able to write an empty string… For other packages, maybe upstream would rather use a date present in their changelog, or their Git repository as said earlier. For now, I don't know. Let's just fix more packages so we can figure this out. -- Lunar.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Re: [Reproducible-builds] Bug#762397: libgpg-error: please do not capture the current time during the build process
Jeroen Dekkers: > At Mon, 22 Sep 2014 22:57:55 +0200, > Jérémy Bobbio wrote: > > But, sincerely, I believe the right move for upstream would be to get > > rid of the embedded timestamp entirely. Embedding a Git commit id would > > make much more sense (and mabye its date) than embedding the time of the > > build. > > I agree, but I am not so sure that we can convince every upstream > about this, whether we should spend our time arguing about it and > whether we should start creating more complicated patches that for > example embed a git commit (if that's at all possible - how do you get > the git commit when building from a tarball?) instead of creating a > simpler patch that makes the timestamp reproducible. For an example, recording the Git commit id is something I had to work out for HTTPS Everywhere. See: http://sources.debian.net/src/https-everywhere/4.0.1-1/debian/rules/?hl=9:13,24:28 http://sources.debian.net/src/https-everywhere/4.0.1-1/debian/patches/use-recorded-upstream-commit-id.patch/ That's because upstream uses the commit id to find the source of a rule: http://sources.debian.net/src/https-everywhere/4.0.1-1/src/chrome/content/fetch-source.js/?hl=51:62 Not saying that it's nice or easy, just that it's doable. -- Lunar.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Re: [Reproducible-builds] Bug#762397: libgpg-error: please do not capture the current time during the build process
(Removed the bug from the CC as this is a more general discussion) At Mon, 22 Sep 2014 22:57:55 +0200, Jérémy Bobbio wrote: > But, sincerely, I believe the right move for upstream would be to get > rid of the embedded timestamp entirely. Embedding a Git commit id would > make much more sense (and mabye its date) than embedding the time of the > build. I agree, but I am not so sure that we can convince every upstream about this, whether we should spend our time arguing about it and whether we should start creating more complicated patches that for example embed a git commit (if that's at all possible - how do you get the git commit when building from a tarball?) instead of creating a simpler patch that makes the timestamp reproducible. > PPS: If we start bikeshedding on every patch, there's not even the > slightest chance we will get to the point where build reproducibility is > actually a Debian feature. We need to trust maintainers to do the right > things. I definitely don't want to bikeshed about every patch, but I think it's a good idea to discuss what is the best way to fix this class of bugs, because we are going to have to fix this in a lot more places. I remember from the DC13 bof that it was proposed to have dpkg-buildpackage export the locale, so my thought was, instead of having to do this in the debian/rules of every package that needs it, why not have dpkg-buildpackage export the changelog timestamp? And even if we put it in debian/rules, I think it's a good idea to standardize on the environment name we use for this. Kind regards, Jeroen Dekkers ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Re: [Reproducible-builds] Bug#762397: libgpg-error: please do not capture the current time during the build process
At Mon, 22 Sep 2014 15:15:50 -0400, Daniel Kahn Gillmor wrote: > > On 09/21/2014 04:58 PM, Dominic Hargreaves wrote: > > On Sun, Sep 21, 2014 at 10:45:14PM +0200, Jérémy Bobbio wrote: > >> As part of the “reproducible builds” effort [1], it was detected that > >> libgpg-error could not be built reproducibly. > >> > >> The build process capture the time of the build. This piece of > >> information is not really helpful to anyone and prevents the build > >> process from being deterministic. > >> > >> The attached patch will instead use the time of the latest > >> debian/changelog entry. Once applied, libgpg-error can be built > >> reproducibly! :) > > > > Wouldn't it be better to patch configure.ac in a way useful to upstream; > > for example by having it use the time from an exported environment > > variable? Otherwise the package is going to have to carry around a > > Debian-specific patch forever. > > I like Dominic's suggestion (we'd need to pass the env var from > debian/rules), and i'll see what i can suggest upstream. Jérémy actually already wrote a patch for dpkg-buildpackage to export DEB_BUILD_TIMESTAMP: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=75 But if we want to push these things upstream, wouldn't it be better to remove the DEB_ prefix from the name of the environment variable? Jeroen Dekkers ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Re: [Reproducible-builds] Bug#762397: libgpg-error: please do not capture the current time during the build process
Jeroen Dekkers: > Jérémy actually already wrote a patch for dpkg-buildpackage to export > DEB_BUILD_TIMESTAMP: > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=75 > > But if we want to push these things upstream, wouldn't it be better to > remove the DEB_ prefix from the name of the environment variable? This is unrelated. DEB_BUILD_TIMESTAMP is meant to be consumed by dpkg. If libgpg-error build system needs to be fed with a timestamp, it would need to be through another environment variable. In that case, debian/rules should probably take care of feeding the right value. But, sincerely, I believe the right move for upstream would be to get rid of the embedded timestamp entirely. Embedding a Git commit id would make much more sense (and mabye its date) than embedding the time of the build. PS: Please call me Lunar. PPS: If we start bikeshedding on every patch, there's not even the slightest chance we will get to the point where build reproducibility is actually a Debian feature. We need to trust maintainers to do the right things. -- Lunar.''`. lu...@debian.org: :Ⓐ : # apt-get install anarchism `. `'` `- signature.asc Description: Digital signature ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Re: [Reproducible-builds] Bug#762397: libgpg-error: please do not capture the current time during the build process
On 09/21/2014 04:58 PM, Dominic Hargreaves wrote: > On Sun, Sep 21, 2014 at 10:45:14PM +0200, Jérémy Bobbio wrote: >> As part of the “reproducible builds” effort [1], it was detected that >> libgpg-error could not be built reproducibly. >> >> The build process capture the time of the build. This piece of >> information is not really helpful to anyone and prevents the build >> process from being deterministic. >> >> The attached patch will instead use the time of the latest >> debian/changelog entry. Once applied, libgpg-error can be built >> reproducibly! :) > > Wouldn't it be better to patch configure.ac in a way useful to upstream; > for example by having it use the time from an exported environment > variable? Otherwise the package is going to have to carry around a > Debian-specific patch forever. I like Dominic's suggestion (we'd need to pass the env var from debian/rules), and i'll see what i can suggest upstream. Thanks for these hints! --dkg signature.asc Description: OpenPGP digital signature ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Re: [Reproducible-builds] Bug#762397: libgpg-error: please do not capture the current time during the build process
Another option is building with faketime. I've had good luck with a couple of C builds using faketime to freeze time entirely during the whole make process. But I think the reproducible work in Debian so far has avoided using faketime. signature.asc Description: OpenPGP digital signature ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds
Re: [Reproducible-builds] Bug#762397: libgpg-error: please do not capture the current time during the build process
On Sun, Sep 21, 2014 at 10:45:14PM +0200, Jérémy Bobbio wrote: > As part of the “reproducible builds” effort [1], it was detected that > libgpg-error could not be built reproducibly. > > The build process capture the time of the build. This piece of > information is not really helpful to anyone and prevents the build > process from being deterministic. > > The attached patch will instead use the time of the latest > debian/changelog entry. Once applied, libgpg-error can be built > reproducibly! :) Wouldn't it be better to patch configure.ac in a way useful to upstream; for example by having it use the time from an exported environment variable? Otherwise the package is going to have to carry around a Debian-specific patch forever. Cheers, Dominic. ___ Reproducible-builds mailing list Reproducible-builds@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reproducible-builds