Debian Bug report logs -
#1003809
node-postcss: reproducible-builds: build path embedded in pkgjs-lock.json
Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Sun, 16 Jan 2022 03:00:01 UTC
Severity: normal
Tags: patch
Found in version pkg-js-tools/0.11.0
Fixed in version pkg-js-tools/0.11.3
Done: Yadd <yadd@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1003809; Package src:node-postcss.
(Sun, 16 Jan 2022 03:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sun, 16 Jan 2022 03:00:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Source: node-postcss
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: buildpath
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
The build path of is embedded in a pkgjs-lock.json file:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/node-postcss.html
/usr/share/nodejs/nanoid/pkgjs-lock.json
"/build/1st/node-postcss-8.4.5+~cs7.1.51":·{
vs.
"/build/2/node-postcss-8.4.5+~cs7.1.51/2nd":·{
The attached patch to debian/rules works around this by replacing the
build path with a package and version string in a dh_compress override.
The pkgjs-lock.json files appear to be generated from pkg-js-tools and
might be possible to fix there instead; I'm not sure why the other
pkgjs-lock.json files in node-postcss do not have embedded build paths.
With this patch applied, node-postcss should build reproducibly on
tests.reproducible-builds.org!
Thanks for maintaining node-postcss!
live well,
vagrant
[0001-debian-rules-Remove-the-build-path-from-pkgjs-lock.j.patch (text/x-diff, inline)]
From d91ed1d45facb624d5ac53a9271d0873686ee8c5 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Sun, 16 Jan 2022 02:38:43 +0000
Subject: [PATCH] debian/rules: Remove the build path from pkgjs-lock.json
file.
The full build path is most likely not present on the end-user's
system, so replace it with PACKAGE-VERSION.
---
debian/rules | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/debian/rules b/debian/rules
index 31a1f14..2f6ba64 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,9 +1,16 @@
#!/usr/bin/make -f
# -*- makefile -*-
+include /usr/share/dpkg/pkg-info.mk
+
%:
dh $@
override_dh_fixperms:
dh_fixperms
chmod +x debian/node-postcss/usr/share/nodejs/nanoid/bin/nanoid.cjs
+
+override_dh_compress:
+ # Remove build path for reproducibility
+ sed -i -e "s,$(CURDIR),$(DEB_SOURCE)-$(DEB_VERSION_UPSTREAM),g" debian/node-postcss/usr/share/nodejs/nanoid/pkgjs-lock.json
+ dh_compress
--
2.30.2
[signature.asc (application/pgp-signature, inline)]
Marked as found in versions pkg-js-tools/0.11.0.
Request was from Yadd <yadd@debian.org>
to control@bugs.debian.org.
(Sun, 16 Jan 2022 08:06:02 GMT) (full text, mbox, link).
Message sent on
to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug#1003809.
(Sun, 16 Jan 2022 09:39:03 GMT) (full text, mbox, link).
Message #14 received at 1003809-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1003809 in pkg-js-tools reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/pkg-js-tools/-/commit/1fa106bb0e5be2b62c3fd9e3046b3aacc8258476
------------------------------------------------------------------------
Fix pkgjs-lock.json build for reproducibility
Closes: #1003809
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1003809
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 1003809-submitter@bugs.debian.org.
(Sun, 16 Jan 2022 09:39:03 GMT) (full text, mbox, link).
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Sun, 16 Jan 2022 09:51:03 GMT) (full text, mbox, link).
Notification sent
to Vagrant Cascadian <vagrant@reproducible-builds.org>:
Bug acknowledged by developer.
(Sun, 16 Jan 2022 09:51:03 GMT) (full text, mbox, link).
Message #21 received at 1003809-close@bugs.debian.org (full text, mbox, reply):
Source: pkg-js-tools
Source-Version: 0.11.3
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
pkg-js-tools, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003809@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated pkg-js-tools package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 16 Jan 2022 09:03:59 +0100
Source: pkg-js-tools
Architecture: source
Version: 0.11.3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1003809
Changes:
pkg-js-tools (0.11.3) unstable; urgency=medium
.
* autopkgtest: try "require" if "type=module" and "main" exists
* debhelper:
+ fix pkgjs-lock.json build for reproducibility (Closes: #1003809)
Checksums-Sha1:
9a98b896d9adddd4926dc234364aa9b78dc9b91c 2279 pkg-js-tools_0.11.3.dsc
c0f8073538c39f83d0b1928f4063ab1a280f138a 58168 pkg-js-tools_0.11.3.tar.xz
Checksums-Sha256:
19fd1e9a40f1bb70b7963e0d97963d008a7ede288e5a9072ed094779b2a18efe 2279 pkg-js-tools_0.11.3.dsc
8b21e8ccf8efdd090d68aa4fa47f2f0b191944f02424eabefeb62a55178e0458 58168 pkg-js-tools_0.11.3.tar.xz
Files:
ecd8f44e22e27f92d9f26c6ae2f19fe3 2279 devel optional pkg-js-tools_0.11.3.dsc
ccb0480dc68a385396d4470c4b559b30 58168 devel optional pkg-js-tools_0.11.3.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmHj5wgACgkQ9tdMp8mZ
7ul6vQ//ZxWFXtRx488NnGI7PRX4WesHj4h/lZF+lo2aOs2yEhNARq+XwKFNq6x3
zJIyZ92UQBjK4jHtWwTEjl3WkdSwlUeF9iUAeGDnb6rwn6nnskgRBo4+bZjgFI4N
NF6Ho6SILCCHGDj5338OM6tIIIn/gL42fzbStaJP2dwXOZ/n+zFafe1Pbfo8CQA7
n5xkziceWldFR4XAyV244tmn1psUEpCYy0w1Fxb6b8/3Z4/oBR9jxqoN12ZQ1/Cn
V80c4sgHnpOmaPRZ94niLMafaiXJUzVp7XY0sRravA+lobAxrqMsuWnp31msNr52
BHQPNdweMruyuf7FO+GTzDMcyTK3K6IWom78fQw+/Eyd5PHQaL1FixePjflSyj2r
DAZf0aoYrHkJryCI2e8y0qg+JHEiLOBDNcQyY8lA9UMvrDkx1o4bksBR4QFuXiuj
hBLrd7/NIEli9ig3qpZTfL/jUyhMb+0Xwb3CPzXiqqNCNJioDc6yuwG185qNdGIf
VJS3ox3PoZIecjhHS4ETSjE3kXy2ue4gI9kgHGrMTQpnu6Zqlrd7GpvPHThCOpI4
VU2qWvrv6X2nKNsNiXyMNZsMO5MiNd5py3EgCsZPXwJD0e+SDKWN1E3qrfWIuYgO
o9DcH+B6ECwLwDBjn2NQArvHaq2XXDqrXtt47yXWt7cHqHCM/as=
=rDI6
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 14 Feb 2022 07:25:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed May 17 11:03:32 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.