Bug#1059576: geophar: please make the build reproducible

Thu, 28 Dec 2023 07:54:15 -0800 

Source: geophar
Version: 18.10+dfsg1-1
Severity: wishlist
Tags: patch
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
Control: user -1 reproducible-bui...@lists.alioth.debian.org

Dear Maintainer,

I'm an occasional volunteer to the Reproducible Builds[0] project and
noticed that your package 'geophar' failed to build reproducibly recently
during automated testing.

The reproducible-builds tests build projects with varying environment
configuration (locale, shell, username, ...) and in the case of 'geophar' it
seems that differing timezones (env var TZ) caused the build to emit different
results.

The cause seems to be the version-replacement code in 'debian/rules' that
embeds the latest version and date from the Debian changelog (sensible) into
the packaged version information.

Extracting some scripting from geophar-18.10+dfsg1 and re-running it for some
widely-separated timezones I confirmed that the resulting output differs:

  $ TZ='Etc/GMT+12' date --date=@$(dpkg-parsechangelog --show-field Timestamp) 
+"%Y, %-m, %-d"
  2023, 10, 4
  $ TZ='Etc/GMT-14' date --date=@$(dpkg-parsechangelog --show-field Timestamp) 
+"%Y, %-m, %-d"
  2023, 10, 6

Since the Debian changelog version is parsed as a Unix timestamp (integer
seconds since 1970-01-01), I think it should be safe to request that the 'date'
command emit an output that is localized to the UTC timezone, creating a stable
output:

  $ TZ='Etc/GMT+12' date --utc --date=@$(dpkg-parsechangelog --show-field 
Timestamp) +"%Y, %-m, %-d"
  2023, 10, 5
  $ TZ='Etc/GMT-14' date --utc --date=@$(dpkg-parsechangelog --show-field 
Timestamp) +"%Y, %-m, %-d"
  2023, 10, 5

Please find attached a patch to achieve this result for the package.

Thank you,
James

[0] - https://reproducible-builds.org/

diff --git a/debian/rules b/debian/rules
index d534751..05a29a5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -54,7 +54,7 @@ override_dh_install:
          sed -i 
's%https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML%http://localhost/javascript/mathjax/MathJax.js%'
 $$f; \
        done
        # modify the version number
-       date=$$(date --date="@$$(dpkg-parsechangelog --show-field Timestamp)" 
+"(%Y, %-m, %-d)"); \
+       date=$$(date --utc --date="@$$(dpkg-parsechangelog --show-field 
Timestamp)" +"(%Y, %-m, %-d)"); \
        version=$$(dpkg-parsechangelog --show-field Version); \
        fileToChange=debian/geophar/usr/share/geophar/wxgeometrie/version.py; \
        echo version = $$version, date_version = $$date; \

Reply via email to