Bug#774274: fontforge: please use SOURCE_DATE_EPOCH for reproducible font modification time
Package: fontforge Version: 1:20170731~dfsg-1+b2 Followup-For: Bug #774274 Hi, Just seen Vasudev's comment from the bug log. There are three relevant commits: 1. Add GetTime function: override time(2) in case SOURCE_DATE_EPOCH is set https://github.com/fontforge/fontforge/commit/4e850c134200d5a62bdecdd68a4ee31ef7688360 2. Improve GetTime function https://github.com/fontforge/fontforge/commit/24aeddf65139ee50753537070e51b08c80346423 3. Use GetTime in more places https://github.com/fontforge/fontforge/commit/078a1738a86717b46e02276bd85bb76893688eea However, as there have already been three 2019 releases (March, April, August), updating from official release could be another choice. Regards, -- Theppitak Karoonboonyanan http://linux.thai.net/~thep/
Bug#774274: fontforge: please use SOURCE_DATE_EPOCH for reproducible font modification time
Theppitak Karoonboonyanan writes: > Package: fontforge > Version: 1:20170731~dfsg-1 > Followup-For: Bug #774274 > > Dear Maintainer, > > This bug still exists for Type 1 font generation, which causes my package > fonts-sipa-arundina to be unreproducible. > > https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/fonts-sipa-arundina.html > > Creation date timestamps are still taken from build time without obeying > SOURCE_DATE_EPOCH. > > There have been some upstream changes in Fontforge after the version in Sid, > beginning at this one: > > https://github.com/fontforge/fontforge/commit/4e850c134200d5a62bdecdd68a4ee31ef7688360 > > And the relevant calls to the new GetTime() function have been added here: > > https://github.com/fontforge/fontforge/commit/078a1738a86717b46e02276bd85bb76893688eea > > So, please update Fontforge in Debian to solve more build reproducibility > problems. I currently do not have enough time to figure out patches needed as there is no official release by upstream. But any help is welcome. If you know set of patches which is going to fix this issue feel free to record the commit hashes and I will try to get those applied. Cheers,
Bug#774274: fontforge: please use SOURCE_DATE_EPOCH for reproducible font modification time
Package: fontforge Version: 1:20170731~dfsg-1 Followup-For: Bug #774274 Dear Maintainer, This bug still exists for Type 1 font generation, which causes my package fonts-sipa-arundina to be unreproducible. https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/fonts-sipa-arundina.html Creation date timestamps are still taken from build time without obeying SOURCE_DATE_EPOCH. There have been some upstream changes in Fontforge after the version in Sid, beginning at this one: https://github.com/fontforge/fontforge/commit/4e850c134200d5a62bdecdd68a4ee31ef7688360 And the relevant calls to the new GetTime() function have been added here: https://github.com/fontforge/fontforge/commit/078a1738a86717b46e02276bd85bb76893688eea So, please update Fontforge in Debian to solve more build reproducibility problems. Thanks, -- Theppitak Karoonboonyanan http://linux.thai.net/~thep/ -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=th_TH.utf8, LC_CTYPE=th_TH.utf8 (charmap=UTF-8), LANGUAGE=th_TH.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages fontforge depends on: ii fontforge-common 1:20170731~dfsg-1 ii libc6 2.28-4 ii libfontforge2 1:20170731~dfsg-1 ii libgdraw5 1:20170731~dfsg-1 ii libltdl7 2.4.6-6 ii libx11-6 2:1.6.7-1 fontforge recommends no packages. Versions of packages fontforge suggests: pn autotrace pn fontforge-doc ii fontforge-extras 0.3-4 pn potrace ii python-fontforge 1:20170731~dfsg-1 -- no debconf information
Bug#774274: [Pkg-fonts-devel] Bug#774274: fontforge: please use SOURCE_DATE_EPOCH for reproducible font modification time
Justin Capposwrites: > found 774274 > forwarded 774274 https://github.com/fontforge/fontforge/issues/2490 > done > > The changelog doesn't seem to indicate that the upstream patch was > applied. This seems to be fixed in upstream master on November 16th, 2016 > as per ( https://github.com/fontforge/fontforge/issues/2490 ). The commit you mentioned in above pull request is already in Debian package ¹. It was merged by upstream and not patched by us in Debian hence not mentioned in changelog. ¹ https://anonscm.debian.org/cgit/pkg-fonts/fontforge.git/commit/fontforge/tottf.c?id=3d6c16da24d8ae105dfbb3c3a0e0e507e04b835d > > This may or may not address / relate to > https://github.com/fontforge/fontforge/issues/2943. The issues seem to > contradict each other about whether the same merged patch set addresses > both. Well its Debian's patch which got merged please see first commit in the PR its mine and taken from Debian patch I created which is already included in fontforge. ² ² https://anonscm.debian.org/cgit/pkg-fonts/fontforge.git/tree/debian/patches/1001_reproducibe_buildtimestamps.patch > > This comes up as an issue with many packages (e.g., > https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/dkg-handwriting.html > seems to be impacted by 2490 and I don't think its impacted by 2490 the message clearly suggest a new patch is in WIP at ³ Also 2490 related one patch is already into fontforge. Once the below WIP patch is submitted upstream I will happily merge it in our packaging. ³ https://gist.githubusercontent.com/lamby/60a545b37b778e148702c342bbf86bd9/raw/19a39af51d669fde042b261236f65ba72f75662a/903_reproducubile_build.diff > https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/essays1743.html > seems to be impacted by 2943 ). Not really sure about this also because related patch is already in fontforge. I'm not really experienced in reproducible builds so I'm just pointing at things which are already included in package. If more things needs to be included please let me know I will get included those in the pacakge. Cheers,
Bug#774274: fontforge: please use SOURCE_DATE_EPOCH for reproducible font modification time
found 774274 forwarded 774274 https://github.com/fontforge/fontforge/issues/2490 done The changelog doesn't seem to indicate that the upstream patch was applied. This seems to be fixed in upstream master on November 16th, 2016 as per ( https://github.com/fontforge/fontforge/issues/2490 ). This may or may not address / relate to https://github.com/fontforge/fontforge/issues/2943. The issues seem to contradict each other about whether the same merged patch set addresses both. This comes up as an issue with many packages (e.g., https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/dkg-handwriting.html seems to be impacted by 2490 and https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/essays1743.html seems to be impacted by 2943 ). Thanks, Justin