Package: sbuild Version: 0.72.0-2 Currently, when adding a changelog stanza for a binnmu (or when appending to the version number is requested for another reason), sbuild uses the existing source changelog timestamp when inventing the changelog entry for the binnmu itself:
http://sources.debian.net/src/sbuild/0.72.0-2/lib/Sbuild/Build.pm/#L2005 This causes problems because it means that (in the usual case) the rebuilt package has files with the same timestamps as the previous build, but different contents. So on the end system, the timestamps cani be misleading, causing malfunction of backup programs etc. (Eg an upgrade to a binnmu would be captured only partially in a backup, leading to lossage.) AIUI there were two reasons why this particular timestamp was (might have been) chosen: Firstly, part of an early attempt to assist multiarch by making all the changelogs identical on different architectures. But in fact, the changelog is not identical in any case (because different architectures may have differently version-numbered binnmus). So the binnmu changelog entry is nowadays put in a separate file, and need not be the same on different architectures. Secondly, an attempt to assist reproducible builds. But the reproducible build output necessarily includes the complete binnmu changelog entry; therefore the complete binnmu changelog entry is an input to a repro-build attempt. It is indeed contained in the Binary-Only-Changes field of the .buildinfo. Subsequent binnmu builds of the same package should generate packages containing increasing timestamps. The best timestamp to use is the timestamp of the build attempt. So, sbuild should use `date -R`[1] instead of the date from the last changelog entry in the source package, when generating the binnmu changelog entry. [1] Actually, sbuild seems to have a tweakable parameter "Pkg Start Time" which looks like it would be appropriate, so something like this: my $date = strftime_c "%FT%TZ", gmtime($self->get('Pkg Start Time')); Ian. -- Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own. If I emailed you from an address @fyvzl.net or @evade.org.uk, that is a private address which bypasses my fierce spamfilter.