Bug#877470: bsh; please make the build reproducible (timestamps)
On Wed, 04 Oct 2017 07:27:08 +0100 Chris Lamb wrote: > Hi, > > > bsh; please make the build reproducible (timestamps) > > +SOURCE_DATE_EPOCH ?= $(shell dpkg-parsechangelog -STimestamp) > > I'd actually use /usr/share/dpkg/pkg-info.mk for this :) > > + --clamp-mtime --mtime="$(SOURCE_DATE_EPOCH)" > > Shouldn't this be --mtime="@$(SOURCE_DATE_EPOCH)" (nb. with the @?) > > > Regards, > > -- > ,''`. > : :' : Chris Lamb > `. `'` la...@debian.org / chris-lamb.co.uk >`- > > Hi, I have rewrited the bsh patch based on the observations and suggestions of Lamby, sending a new bsh_2.0b4-18_2.0b4-18.1.debdiff file. The attached patch clamps the timestamps to the changelog timestamp when creating the source archive using SOURCE_DATE_EPOCH variable. Once applied, bsh can be built reproducibly in our current experimental framework. Cheers. Jathan -- Por favor evita enviarme adjuntos en formato de word o powerpoint, si quieres saber porque lee esto: http://www.gnu.org/philosophy/no-word-attachments.es.html ¡Cámbiate a GNU/Linux! http://getgnulinux.org/es diff -Nru bsh-2.0b4/debian/changelog bsh-2.0b4/debian/changelog --- bsh-2.0b4/debian/changelog 2016-05-30 12:14:02.0 -0500 +++ bsh-2.0b4/debian/changelog 2017-10-24 23:46:23.0 -0500 @@ -1,3 +1,10 @@ +bsh (2.0b4-18.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Fix timestamps_in_tarball reproducible build issue. + + -- Jonathan Bustillos Tue, 24 Oct 2017 23:46:23 -0500 + bsh (2.0b4-18) unstable; urgency=medium * Team upload. diff -Nru bsh-2.0b4/debian/rules bsh-2.0b4/debian/rules --- bsh-2.0b4/debian/rules 2016-05-30 12:06:22.0 -0500 +++ bsh-2.0b4/debian/rules 2017-10-24 23:44:07.0 -0500 @@ -1,6 +1,7 @@ #!/usr/bin/make -f # debian/rules file for bsh (uses cdbs) +include /usr/share/dpkg/pkg-info.mk include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/ant.mk @@ -29,6 +30,7 @@ install/bsh-src:: binary-install/bsh-doc mkdir -p debian/bsh-src/usr/src/bsh-src tar --exclude debian --exclude classes --exclude dist --exclude api \ + --clamp-mtime --mtime="@$(SOURCE_DATE_EPOCH)" \ -zcf debian/bsh-src/usr/src/bsh-src/bsh.tar.gz * binary-fixup/bsh-doc:: signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#877470: bsh; please make the build reproducible (timestamps)
On Mon, 2 Oct 2017 17:11:48 +0200 Emmanuel Bourg wrote: > Thank you for the patch Jathan. > > Aren't tar timestamps already normalized by strip-nondeterminism though? > > Emmanuel Bourg > > Hi Emmanuel, Tar timestamps are not normalized by strip-nondeterminism. Best regards. Jathan -- Por favor evita enviarme adjuntos en formato de word o powerpoint, si quieres saber porque lee esto: http://www.gnu.org/philosophy/no-word-attachments.es.html ¡Cámbiate a GNU/Linux! http://getgnulinux.org/es signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#877470: Question about strip-nondeterminism in bsh
On 09/10/17 10:47, Chris Lamb wrote: > [Adding 877...@bugs.debian.org to CC] > > Hi jathan, > >> Also I want to ask you what does it mean you actually use >> /usr/share/dpkg/pkg-info.mk for SOURCE_DATE_EPOCH > > See, for example: > > https://github.com/lamby/pkg-python-daiquiri/blob/debian/sid/debian/rules#L3 > > If you take a look at the /usr/share/dpkg/pkg-info.mk file itself, > it should be fairly clear what it exports to the outside environment. > > In the python-daiquiri example, I'm using DEB_VERSION_UPSTREAM for a > reproducibility-related reason, but you should be able to see how it > applies to SOURCE_DATE_EPOCH too :) > >> Thanks a lot and sorry for my delay to reply, > > No worries about the delay. Note that I've added 877...@bugs.debian.org to > the CC; generally when a question pertains to a specific bug, it's a great > idea to ensure that the conversation is archived there. Keeps everyone sane > too as it's easy to "load" context after a few days/weeks. :) > > > Best wishes, > Hi Lamby!, Thanks a lot for sharing your pkg-python-daiquiri example. I have executed "less /usr/share/dpkg/pkg-info.mk" on my local machine with Debian Stretch and I have the next content: # Makefile snippet defining the following variables: # # DEB_SOURCE: the source package name # DEB_VERSION: the full version of the package (epoch + upstream vers. + revision) # DEB_VERSION_EPOCH_UPSTREAM: the package's version without the Debian revision # DEB_VERSION_UPSTREAM_REVISION: the package's version without the Debian epoch # DEB_VERSION_UPSTREAM: the package's upstream version # DEB_DISTRIBUTION: the distribution(s) listed in the current entry of debian/changelog # # SOURCE_DATE_EPOCH: the source release date as seconds since the epoch, as # specified by <https://reproducible-builds.org/specs/source-date-epoch/> dpkg_late_eval ?= $(or $(value DPKG_CACHE_$(1)),$(eval DPKG_CACHE_$(1) := $(shell $(2)))$(value DPKG_CACHE_$(1))) DEB_SOURCE = $(call dpkg_late_eval,DEB_SOURCE,dpkg-parsechangelog -SSource) DEB_VERSION = $(call dpkg_late_eval,DEB_VERSION,dpkg-parsechangelog -SVersion) DEB_VERSION_EPOCH_UPSTREAM = $(call dpkg_late_eval,DEB_VERSION_EPOCH_UPSTREAM,echo '$(DEB_VERSION)' | sed -e 's/-[^-]*$$//') DEB_VERSION_UPSTREAM_REVISION = $(call dpkg_late_eval,DEB_VERSION_UPSTREAM_REVISION,echo '$(DEB_VERSION)' | sed -e 's/^[0-9]*://') DEB_VERSION_UPSTREAM = $(call dpkg_late_eval,DEB_VERSION_UPSTREAM,echo '$(DEB_VERSION_EPOCH_UPSTREAM)' | sed -e 's/^[0-9]*://') DEB_DISTRIBUTION = $(call dpkg_late_eval,DEB_DISTRIBUTION,dpkg-parsechangelog -SDistribution) SOURCE_DATE_EPOCH ?= $(call dpkg_late_eval,SOURCE_DATE_EPOCH,dpkg-parsechangelog -STimestamp) export SOURCE_DATE_EPOCH How can I see the /usr/share/dpkg/pkg-info.mk you have used for pkg-python-daiquiri to make a comparison of contents and understand deeper how you did it please? Thinking about these two lines of your code: include /usr/share/dpkg/pkg-info.mk export PBR_VERSION = $(DEB_VERSION_UPSTREAM) And also considering the /usr/share/dpkg/pkg-info.mk file suggestion, I would apply SOURCE_DATE_EPOCH in the next way: include /usr/share/dpkg/pkg-info.mk export SOURCE_DATE_EPOCH = $(call dpkg_late_eval,SOURCE_DATE_EPOCH,dpkg-parsechangelog -STimestamp) or export SOURCE_DATE_EPOCH = $(shell dpkg-parsechangelog -STimestamp) (based on https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal#Examples) Would it be right for me to use either of these two options or am I wrong in both? Best regards. Jathan -- Por favor evita enviarme adjuntos en formato de word o powerpoint, si quieres saber porque lee esto: http://www.gnu.org/philosophy/no-word-attachments.es.html ¡Cámbiate a GNU/Linux! http://getgnulinux.org/es signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#877470: bsh; please make the build reproducible (timestamps)
Source: bsh Version: 2.0b4-18 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: timestamps X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Hi! While working on the “reproducible builds” effort [1], we have noticed that bsh could not be built reproducibly. The attached patch clamps the timestamps to the changelog timestamp when creating the source archive. Once applied, bsh can be built reproducibly in our current experimental framework. Best regards. Jathan [1]: https://wiki.debian.org/ReproducibleBuilds -- Por favor evita enviarme adjuntos en formato de word o powerpoint, si quieres saber porque lee esto: http://www.gnu.org/philosophy/no-word-attachments.es.html ¡Cámbiate a GNU/Linux! http://getgnulinux.org/es diff -Nru bsh-2.0b4/debian/changelog bsh-2.0b4/debian/changelog --- bsh-2.0b4/debian/changelog 2016-05-30 12:14:02.0 -0500 +++ bsh-2.0b4/debian/changelog 2017-10-01 22:01:37.0 -0500 @@ -1,3 +1,10 @@ +bsh (2.0b4-18.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Fix timestamps_in_tarball reproducible build issue. + + -- Jonathan Bustillos Sun, 01 Oct 2017 22:01:37 -0500 + bsh (2.0b4-18) unstable; urgency=medium * Team upload. diff -Nru bsh-2.0b4/debian/rules bsh-2.0b4/debian/rules --- bsh-2.0b4/debian/rules 2016-05-30 12:06:22.0 -0500 +++ bsh-2.0b4/debian/rules 2017-10-01 22:00:30.0 -0500 @@ -1,6 +1,7 @@ #!/usr/bin/make -f # debian/rules file for bsh (uses cdbs) +SOURCE_DATE_EPOCH ?= $(shell dpkg-parsechangelog -STimestamp) include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/ant.mk @@ -29,6 +30,7 @@ install/bsh-src:: binary-install/bsh-doc mkdir -p debian/bsh-src/usr/src/bsh-src tar --exclude debian --exclude classes --exclude dist --exclude api \ + --clamp-mtime --mtime="$(SOURCE_DATE_EPOCH)" \ -zcf debian/bsh-src/usr/src/bsh-src/bsh.tar.gz * binary-fixup/bsh-doc:: signature.asc Description: OpenPGP digital signature __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.