Debian Bug report logs - #1035400
lucene8: reproducible builds: username embedded in .jar files

Package: src:lucene8; Maintainer for src:lucene8 is Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>;

Reported by: Vagrant Cascadian <vagrant@reproducible-builds.org>

Date: Tue, 2 May 2023 19:39:01 UTC

Severity: normal

Tags: patch

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#1035400; Package src:lucene8. (Tue, 02 May 2023 19:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@reproducible-builds.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Tue, 02 May 2023 19:39:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>
To: submit@bugs.debian.org
Subject: lucene8: reproducible builds: username embedded in .jar files
Date: Tue, 02 May 2023 12:37:34 -0700
[Message part 1 (text/plain, inline)]
Source: lucene8
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: username
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Various .jar files embed the username:

  https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/lucene8.html

  /usr/share/java/lucene-analyzers-common-8.7.0.jar

  Implementation-Version:·8.8.1-4·unknown·-·pbuilder1·-·2022-11-25·13:00\xd
  vs.
  Implementation-Version:·8.8.1-4·unknown·-·pbuilder2·-·2022-11-25·13:00\xd

The attached patches fix this by removing the user.name from the
Implementation-Version fields in various template .xml files.

According to my local tests, with these patches applied lucene8 should
become reproducible on tests.reproducible-builds.org!

Thanks for maintaining lucene8!

live well,
  vagrant

[0001-common-build.xml-Remove-user-from-Implementation-Ver.patch (text/x-diff, inline)]
From 42be160c88c6d81278c85c0dbd612b1c84b1e2bb Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Tue, 2 May 2023 12:20:34 -0700
Subject: [PATCH 1/4] common-build.xml: Remove user from
 Implementation-Version.

---
 common-build.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common-build.xml b/common-build.xml
index 96c5ba5..2bb79f7 100644
--- a/common-build.xml
+++ b/common-build.xml
@@ -793,7 +793,7 @@
         <attribute name="Implementation-Title" value="@{implementation.title}"/>
         <!-- impl version can be any string -->
         <attribute name="Implementation-Version"
-                   value="${version} ${checkoutid} - ${user.name} - ${DSTAMP} ${TSTAMP}"/>
+                   value="${version} ${checkoutid} - ${DSTAMP} ${TSTAMP}"/>
         <attribute name="Implementation-Vendor"
                    value="The Apache Software Foundation"/>
         <attribute name="X-Compile-Source-JDK" value="${javac.release}"/>
-- 
2.39.2


[0002-debian-poms-lucene-solr-grandparent.pom.xml-Remove-b.patch (text/x-diff, inline)]
From 8655f43ae17ad1fa707fd7e3d08af328b11479e8 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Tue, 2 May 2023 12:22:17 -0700
Subject: [PATCH 2/4] debian/poms/lucene-solr-grandparent.pom.xml: Remove build
 user from Implementation-Version.

---
 debian/poms/lucene-solr-grandparent.pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/poms/lucene-solr-grandparent.pom.xml b/debian/poms/lucene-solr-grandparent.pom.xml
index b0df3c7..c34075c 100644
--- a/debian/poms/lucene-solr-grandparent.pom.xml
+++ b/debian/poms/lucene-solr-grandparent.pom.xml
@@ -11686,7 +11686,7 @@
                 <Specification-Version>${specification.version}</Specification-Version>
                 <Specification-Vendor>The Apache Software Foundation</Specification-Vendor>
                 <!-- impl version can be any string -->
-                <Implementation-Version>${project.version} ${checkoutid} - ${user.name} - ${now.timestamp}</Implementation-Version>
+                <Implementation-Version>${project.version} ${checkoutid} - ${now.timestamp}</Implementation-Version>
                 <Implementation-Vendor>The Apache Software Foundation</Implementation-Vendor>
                 <Implementation-Vendor-Id>${project.groupId}</Implementation-Vendor-Id>
                 <X-Compile-Source-JDK>${java.compat.version}</X-Compile-Source-JDK>
@@ -11812,7 +11812,7 @@
             <Specification-Version>${specification.version}</Specification-Version>
             <Specification-Vendor>The Apache Software Foundation</Specification-Vendor>
             <!-- impl version can be any string -->
-            <Implementation-Version>${project.version} ${checkoutid} - ${user.name} - ${now.timestamp}</Implementation-Version>
+            <Implementation-Version>${project.version} ${checkoutid} - ${now.timestamp}</Implementation-Version>
             <Implementation-Vendor>The Apache Software Foundation</Implementation-Vendor>
             <Implementation-Vendor-Id>${project.groupId}</Implementation-Vendor-Id>
             <X-Compile-Source-JDK>${java.compat.version}</X-Compile-Source-JDK>
-- 
2.39.2


[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Aug 19 14:57:36 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.