On Wed, 21 Feb 2024 at 15:52, Zygmunt Krynicki <m...@zygoon.pl> wrote: > > > > Wiadomość napisana przez James Addison <j...@jp-hosting.net> w dniu > > 21.02.2024, o godz. 15:49: > > > > Source: snapd > > Version: 2.61.1-1 > > Severity: wishlist > > > > ... [snip] ... > > > > One cause of non-reproducibility for the package appears to be that the > > snap.8 manual page (compressed as snap.8.gz) contains a timestamp in the > > header that becomes timezone-localized, meaning that the Debian binary > > packages > > built may vary based on the timezone they're built in. > > > > Although one way to fix this could be to request and display a UTC > > timestamp, > > there's a comment[3] in the debian/rules file that hints at a better > > solution: > > from version 1.4.0-2 of golang-go-flags there is in-built support[4] for the > > SOURCE_DATE_EPOCH variable, a time-in-seconds since the Unix epoch > > (interpreted > > in UTC[5]). > > > > ... [ snip ] ... > > > Thank you for bringing this to my attention and for offering a patch. I was > aware of numerous TODOs in the packaging but have not yet managed to come up > with a solution that would work both upstream and downstream (snapd CI system > uses a copy of the debian packaging to check that a package can indeed be > built), so any iteration on this is rather tedious. > > In any case that should not be a problem that cannot be solved. I'm looking > forward to your pull request or patches. > Best regards > ZK >
Thanks, Zygmunt - https://salsa.debian.org/debian/snapd/-/merge_requests/7 contains a minimal change that I believe should make the package reproducible on Debian - it does not alter any build-time dependencies, and does not affect the rules files for any other distros/releases (the debian-sid (experimental) rules file in the packaging dir is _not_ updated). The change updates the packaging to remove customization of golangs-go-flags manual-page-generation timestamping. That library previously lacked support for reproducible build timestamping, that was subsequently patched[1] into Debian in v1.4.0-2 and merged upstream[2] into v1.5.0. Please let me know whether that approach seems reasonable, or whether a more cautious approach would make sense (perhaps by starting with sid first). Regards, James [1] - https://salsa.debian.org/go-team/packages/golang-go-flags/-/commit/3015faf7a972cb074e65f8c210476937698a492b [2] - https://github.com/jessevdk/go-flags/pull/285
