Bug#1039617: liblopsub: reproducible-builds: timestamps in gzip headers for changelog and manpage
On 2023-07-09, Andre Noll wrote: > On Thu, Jun 29, 19:45, Andre Noll wrote >> > It also needs someone to upload to Debian. Looks like Adam Borowski >> > has sponsored in the past, but if you need someone >> > else to sponsor the upload, I could too. >> >> Yes, Adam uploaded all previous versions so far. But of course it's >> also fine if you sponsor the upload this time. > > Could either of you please upload v1.0.4 (released on Jun 28th)? Thanks for getting it prepared! I'll see if I can work it in today... otherwise it will have to wait till the 17th or so for me... live well, vagrant signature.asc Description: PGP signature
Bug#1039617: liblopsub: reproducible-builds: timestamps in gzip headers for changelog and manpage
On Thu, Jun 29, 19:45, Andre Noll wrote > > It also needs someone to upload to Debian. Looks like Adam Borowski > > has sponsored in the past, but if you need someone > > else to sponsor the upload, I could too. > > Yes, Adam uploaded all previous versions so far. But of course it's > also fine if you sponsor the upload this time. Could either of you please upload v1.0.4 (released on Jun 28th)? Thanks Andre -- Max Planck Institute for Biology Tel: (+49) 7071 601 829 Max-Planck-Ring 5, 72076 Tübingen, Germany http://people.tuebingen.mpg.de/maan/ signature.asc Description: PGP signature
Bug#1039617: liblopsub: reproducible-builds: timestamps in gzip headers for changelog and manpage
On Thu, Jun 29, 08:27, Vagrant Cascadian wrote > >> Given that this change was accepted in 2019, would you consider > >> uploading a version with the fixes applied to Debian, either by making a > >> new upstream version, or applying the patches to an older version? > > > > Will do. FWIW: There are also a few unrelated patches pending. My > > plan is to merge these next weekend and then release v1.0.4. > > > > All I have to do to get the new version into Debian is to add a stanza > > to debian/changelog, and tag the tip commit, correct? > > Be sure to add Closes: #NNN for all the relevent bug numbers to > debian/changelog. Will add Closes: #1039617, #1039618 > It also needs someone to upload to Debian. Looks like Adam Borowski > has sponsored in the past, but if you need someone > else to sponsor the upload, I could too. Yes, Adam uploaded all previous versions so far. But of course it's also fine if you sponsor the upload this time. > Possibly also updating debian/copyright. Will adjust the copyright year. Anything else you had in mind? > Building the packages and running lintian might also have some suggestions to > improve the package. The old package has a few issues (though most seem to be > the gzip timestamp warnings): > > https://udd.debian.org/lintian/?packages=liblopsub I might need some help to resolve these. The important one seems to be shared-library-lacks-stack-section, as that's an error tag while all other tags are only warnings. It seems to occur only on mips, and according to lintian-explain-tags(1), "This problem can be fixed with a rebuild". So how can one avoid this error at the source level? Then there is hardening-no-relro, which is also ld-related and which also occurs only on mips. On my x86 system, the RELRO section is present: $ readelf -a liblopsub.so.1.0.3 | grep -i relro GNU_RELRO 0xcd30 0xdd30 0xdd30 Do you think it would help to add -z relro to the two recipes of the Makefile which create the lopsubgen executable and the shared library? Finally there is the no-debian-changes warning, which I don't understand at all. How can there be "no changes to the upstream sources in the Debian-related files"? Thanks Andre -- Max Planck Institute for Biology Tel: (+49) 7071 601 829 Max-Planck-Ring 5, 72076 Tübingen, Germany http://people.tuebingen.mpg.de/maan/ signature.asc Description: PGP signature
Bug#1039617: liblopsub: reproducible-builds: timestamps in gzip headers for changelog and manpage
On 2023-06-28, Andre Noll wrote: > On Tue, Jun 27, 14:55, Vagrant Cascadian wrote >> > This issue was addressed already four years ago when Chris Lamb (CC) >> > submitted an analogous patch, see below. His patch has been part of the >> > master branch since then, although no new version has been released. >> > >> > I therefore assume that there is nothing to do for me in this >> > regard. Please let me know if this is not the case. >> >> Given that this change was accepted in 2019, would you consider >> uploading a version with the fixes applied to Debian, either by making a >> new upstream version, or applying the patches to an older version? > > Will do. FWIW: There are also a few unrelated patches pending. My > plan is to merge these next weekend and then release v1.0.4. > > All I have to do to get the new version into Debian is to add a stanza > to debian/changelog, and tag the tip commit, correct? Be sure to add Closes: #NNN for all the relevent bug numbers to debian/changelog. It also needs someone to upload to Debian. Looks like Adam Borowski has sponsored in the past, but if you need someone else to sponsor the upload, I could too. Possibly also updating debian/copyright. Building the packages and running lintian might also have some suggestions to improve the package. The old package has a few issues (though most seem to be the gzip timestamp warnings): https://udd.debian.org/lintian/?packages=liblopsub live well, vagrant signature.asc Description: PGP signature
Bug#1039617: liblopsub: reproducible-builds: timestamps in gzip headers for changelog and manpage
On Tue, Jun 27, 14:55, Vagrant Cascadian wrote > > This issue was addressed already four years ago when Chris Lamb (CC) > > submitted an analogous patch, see below. His patch has been part of the > > master branch since then, although no new version has been released. > > > > I therefore assume that there is nothing to do for me in this > > regard. Please let me know if this is not the case. > > Given that this change was accepted in 2019, would you consider > uploading a version with the fixes applied to Debian, either by making a > new upstream version, or applying the patches to an older version? Will do. FWIW: There are also a few unrelated patches pending. My plan is to merge these next weekend and then release v1.0.4. All I have to do to get the new version into Debian is to add a stanza to debian/changelog, and tag the tip commit, correct? Thanks Andre -- Max Planck Institute for Biology Tel: (+49) 7071 601 829 Max-Planck-Ring 5, 72076 Tübingen, Germany http://people.tuebingen.mpg.de/maan/ signature.asc Description: PGP signature
Bug#1039617: liblopsub: reproducible-builds: timestamps in gzip headers for changelog and manpage
On 2023-06-27, Andre Noll wrote: > On Tue, Jun 27, 12:57, Vagrant Cascadian wrote: > >> The attached two patches (one patching the upstream Makefile, the other >> patching debian/rules) fix this by passing -n to the gzip calls used to >> compress changelog.Debian and the various manpages. >> >> According to my local tests, with these two patches applied liblopsub >> should build reproducibly on tests.reproducible-builds.org once it >> migrates to debian/trixie! This alone does not resolve all >> reproducibilitiy issues (e.g. build paths, tested in unstable and >> experimental). > > This issue was addressed already four years ago when Chris Lamb (CC) > submitted an analogous patch, see below. His patch has been part of the > master branch since then, although no new version has been released. > > I therefore assume that there is nothing to do for me in this > regard. Please let me know if this is not the case. Given that this change was accepted in 2019, would you consider uploading a version with the fixes applied to Debian, either by making a new upstream version, or applying the patches to an older version? Otherwise, my other Reproducible Builds team members and I will likely keep wondering why it is not yet reproducible... possibly spending more time fixing things apparently already with known fixes! live well, vagrant > commit 2d0464872cec02b53f5bb5ca2a037cb764641c1f > Author: Chris Lamb > Date: Mon Dec 2 10:44:23 2019 +0100 > > Make the build reproducible. > > Whilst working on the Reproducible Builds effort [0] we noticed that > liblopsub could not be built reproducibly. > > This is because it calls "gzip" manually without the -n > flag. This should have been reported by lintian via the > package-contains-timestamped-gzip tag. > > [0] https://reproducible-builds.org/ > > diff --git a/Makefile b/Makefile > index d1f89b1..e8fb7c0 100644 > --- a/Makefile > +++ b/Makefile > @@ -18,7 +18,7 @@ AR := ar > GROFF := groff > CP := cp > INSTALL := install > -GZIP := gzip -f9 > +GZIP := gzip -fn9 > ZCAT := zcat > > DATE_FMT := +%B %Y > diff --git a/debian/rules b/debian/rules > index 3ba7a74..3e73eac 100755 > --- a/debian/rules > +++ b/debian/rules > @@ -49,8 +49,8 @@ binary: build > $(INST_FILE) debian/copyright $(DEVDOCS_DIR)/copyright > $(INST_FILE) debian/changelog $(DOCS_DIR)/changelog.Debian > $(INST_FILE) debian/changelog $(DEVDOCS_DIR)/changelog.Debian > - gzip -f9 $(DOCS_DIR)/changelog.Debian > - gzip -f9 $(DEVDOCS_DIR)/changelog.Debian > + gzip -fn9 $(DOCS_DIR)/changelog.Debian > + gzip -fn9 $(DEVDOCS_DIR)/changelog.Debian > dh_makeshlibs > dh_shlibdeps > dh_strip signature.asc Description: PGP signature
Bug#1039617: liblopsub: reproducible-builds: timestamps in gzip headers for changelog and manpage
On Tue, Jun 27, 12:57, Vagrant Cascadian wrote: > The attached two patches (one patching the upstream Makefile, the other > patching debian/rules) fix this by passing -n to the gzip calls used to > compress changelog.Debian and the various manpages. > > According to my local tests, with these two patches applied liblopsub > should build reproducibly on tests.reproducible-builds.org once it > migrates to debian/trixie! This alone does not resolve all > reproducibilitiy issues (e.g. build paths, tested in unstable and > experimental). This issue was addressed already four years ago when Chris Lamb (CC) submitted an analogous patch, see below. His patch has been part of the master branch since then, although no new version has been released. I therefore assume that there is nothing to do for me in this regard. Please let me know if this is not the case. Thanks Andre --- commit 2d0464872cec02b53f5bb5ca2a037cb764641c1f Author: Chris Lamb Date: Mon Dec 2 10:44:23 2019 +0100 Make the build reproducible. Whilst working on the Reproducible Builds effort [0] we noticed that liblopsub could not be built reproducibly. This is because it calls "gzip" manually without the -n flag. This should have been reported by lintian via the package-contains-timestamped-gzip tag. [0] https://reproducible-builds.org/ diff --git a/Makefile b/Makefile index d1f89b1..e8fb7c0 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ AR := ar GROFF := groff CP := cp INSTALL := install -GZIP := gzip -f9 +GZIP := gzip -fn9 ZCAT := zcat DATE_FMT := +%B %Y diff --git a/debian/rules b/debian/rules index 3ba7a74..3e73eac 100755 --- a/debian/rules +++ b/debian/rules @@ -49,8 +49,8 @@ binary: build $(INST_FILE) debian/copyright $(DEVDOCS_DIR)/copyright $(INST_FILE) debian/changelog $(DOCS_DIR)/changelog.Debian $(INST_FILE) debian/changelog $(DEVDOCS_DIR)/changelog.Debian - gzip -f9 $(DOCS_DIR)/changelog.Debian - gzip -f9 $(DEVDOCS_DIR)/changelog.Debian + gzip -fn9 $(DOCS_DIR)/changelog.Debian + gzip -fn9 $(DEVDOCS_DIR)/changelog.Debian dh_makeshlibs dh_shlibdeps dh_strip -- Max Planck Institute for Biology Max-Planck-Ring 5, 72076 Tübingen, Germany. Phone: (+49) 7071 601 829 http://people.tuebingen.mpg.de/maan/ signature.asc Description: PGP signature
Bug#1039617: liblopsub: reproducible-builds: timestamps in gzip headers for changelog and manpage
Source: liblopsub Severity: normal Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org The build timestamp is included in various gzip headers: https://tests.reproducible-builds.org/debian/rb-pkg/trixie/amd64/diffoscope-results/liblopsub.html /usr/share/doc/liblopsub-dev/changelog.Debian.gz gzip·compressed·data,·was·"changelog.Debian",·last·modified:·Mon·May·20·01:26:32·2024,·max·compression,·from·Unix vs. gzip·compressed·data,·was·"changelog.Debian",·last·modified:·Mon·Apr·17·19:04:49·2023,·max·compression,·from·Unix /usr/share/man/man1/lopsubgen.1.gz gzip·compressed·data,·was·"lopsubgen.1",·last·modified:·Mon·May·20·01:26:29·2024,·max·compression,·from·Unix vs. gzip·compressed·data,·was·"lopsubgen.1",·last·modified:·Mon·Apr·17·19:04:45·2023,·max·compression,·from·Unix The attached two patches (one patching the upstream Makefile, the other patching debian/rules) fix this by passing -n to the gzip calls used to compress changelog.Debian and the various manpages. According to my local tests, with these two patches applied liblopsub should build reproducibly on tests.reproducible-builds.org once it migrates to debian/trixie! This alone does not resolve all reproducibilitiy issues (e.g. build paths, tested in unstable and experimental). Thanks for maintaining liblopsub! live well, vagrant From f92b3e462e3665bf1a4f8469ddd5ebf0c19f3f26 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Tue, 27 Jun 2023 12:41:36 -0700 Subject: [PATCH 1/3] Makefile: Pass -n to gzip to avoid embedding timestamps. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index d1f89b1..f139597 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ AR := ar GROFF := groff CP := cp INSTALL := install -GZIP := gzip -f9 +GZIP := gzip -n -f9 ZCAT := zcat DATE_FMT := +%B %Y -- 2.39.2 From e95dc3bf4cf0beb6afdd23a34c9b7923ffbd0c24 Mon Sep 17 00:00:00 2001 From: Vagrant Cascadian Date: Tue, 27 Jun 2023 12:42:16 -0700 Subject: [PATCH 2/3] debian/rules: Pass -n to gzip to avoid embedding timestamps. --- debian/rules | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/rules b/debian/rules index 3ba7a74..1263826 100755 --- a/debian/rules +++ b/debian/rules @@ -49,8 +49,8 @@ binary: build $(INST_FILE) debian/copyright $(DEVDOCS_DIR)/copyright $(INST_FILE) debian/changelog $(DOCS_DIR)/changelog.Debian $(INST_FILE) debian/changelog $(DEVDOCS_DIR)/changelog.Debian - gzip -f9 $(DOCS_DIR)/changelog.Debian - gzip -f9 $(DEVDOCS_DIR)/changelog.Debian + gzip -n -f9 $(DOCS_DIR)/changelog.Debian + gzip -n -f9 $(DEVDOCS_DIR)/changelog.Debian dh_makeshlibs dh_shlibdeps dh_strip -- 2.39.2 signature.asc Description: PGP signature