Debian Bug report logs - #759886
dpkg-dev: please make mtimes of packaged files deterministic

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jérémy Bobbio <lunar@debian.org>

To: submit@bugs.debian.org

Subject: debhelper: please make mtimes of packaged files deterministic

Date: Sat, 30 Aug 2014 20:15:49 +0000

[Message part 1 (text/plain, inline)]

Package: debhelper
Version: 9.20140817
User: reproducible-builds@lists.alioth.debian.org
Usertags: toolchain, timestamps
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Hi!

As part of the “reproducible builds” project [1], it would be great to
get the files shipped in the Debian package have deterministic mtimes.

The attached patch will add a new helper `dh_fixmtimes`, largely
inspired by `dh_fixperms`, that will change the modification time of any
file that has been created later than the time of the latest
debian/changelog entry to the time of the latest debian/changelog entry.

This helper is set to run right before `dh_builddeb` in the `dh`
process.

 [1]: https://wiki.debian.org/ReproducibleBuilds

-- 
Lunar                                .''`. 
lunar@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Jérémy Bobbio <lunar@debian.org>

To: 759886@bugs.debian.org

Subject: Re: debhelper: please make mtimes of packaged files deterministic

Date: Sat, 30 Aug 2014 20:26:42 +0000

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch

Lunar:
> The attached patch will add a new helper `dh_fixmtimes`, largely
> inspired by `dh_fixperms`, that will change the modification time of any
> file that has been created later than the time of the latest
> debian/changelog entry to the time of the latest debian/changelog entry.

This time with the patch. *sigh*

-- 
Lunar                                .''`. 
lunar@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   

[0001-dh_fixmtimes-introduce-new-helper-to-fix-mtimes-for-.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: Jérémy Bobbio <lunar@debian.org>, 759886@bugs.debian.org

Subject: Re: [debhelper-devel] Bug#759886: debhelper: please make mtimes of packaged files deterministic

Date: Sun, 31 Aug 2014 14:40:38 -0700

[Message part 1 (text/plain, inline)]

+1

Do you have a plan to get packages not using dh or cdbs to use this new
command?

I can think of 2 ways.. one is to add it to some existing command,
perhaps renaming the command. I thought maybe dh_fixperms could be
renamed to dh_fixmetadata. But, I think some will use dh_fixperms -X to
exclude certian files from being fixed, and we would not want that to
apply to mtime fixing.

My other idea is to make dh_fixmtimes set something that a later command
(eg, dh_builddeb) could use and warn if it was not run.

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Jérémy Bobbio <lunar@debian.org>

To: Joey Hess <joeyh@debian.org>

Cc: 759886@bugs.debian.org

Subject: Re: [debhelper-devel] Bug#759886: debhelper: please make mtimes of packaged files deterministic

Date: Sun, 31 Aug 2014 22:18:48 +0000

[Message part 1 (text/plain, inline)]

Joey Hess:
> Do you have a plan to get packages not using dh or cdbs to use this new
> command?

Its heart is a single find+xargs+touch command. I had in mind that
packages not using dh or cdbs could have their own way on how to make
the mtimes deterministic. Possibly by adding such a find command in
their debian/rules at the right location, but there might be other
solutions.

> I can think of 2 ways.. one is to add it to some existing command,
> perhaps renaming the command. I thought maybe dh_fixperms could be
> renamed to dh_fixmetadata. But, I think some will use dh_fixperms -X to
> exclude certian files from being fixed, and we would not want that to
> apply to mtime fixing.

dh_fixmtimes must be run right before building the .deb, or it's likely
that some other command will change the newly set mtimes. dh_fixperms is
currently run at an earlier step of the build process.

> My other idea is to make dh_fixmtimes set something that a later command
> (eg, dh_builddeb) could use and warn if it was not run.

Maybe it should be integrated to dh_builddeb, then?

-- 
Lunar                                .''`. 
lunar@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>

To: 759886@bugs.debian.org

Subject: Re: [debhelper-devel] Bug#759886: debhelper: please make mtimes of packaged files deterministic

Date: Sun, 31 Aug 2014 15:36:05 -0700

[Message part 1 (text/plain, inline)]

Jérémy Bobbio wrote:
> Joey Hess:
> > Do you have a plan to get packages not using dh or cdbs to use this new
> > command?
> 
> Its heart is a single find+xargs+touch command. I had in mind that
> packages not using dh or cdbs could have their own way on how to make
> the mtimes deterministic. Possibly by adding such a find command in
> their debian/rules at the right location, but there might be other
> solutions.

I was talking about commands that do use debhelper, but list all the
commands to run in debian/rules.

> > My other idea is to make dh_fixmtimes set something that a later command
> > (eg, dh_builddeb) could use and warn if it was not run.
> 
> Maybe it should be integrated to dh_builddeb, then?

I don't think it belongs in dh_builddeb directly.

-- 
see shy jo

[signature.asc (application/pgp-signature, inline)]

Message #36 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Jérémy Bobbio <lunar@debian.org>

To: 759886@bugs.debian.org

Cc: reproducible-builds@lists.alioth.debian.org

Subject: Re: Bug#759886: debhelper: please make mtimes of packaged files deterministic

Date: Sun, 28 Dec 2014 22:03:11 +0100

[Message part 1 (text/plain, inline)]

Joey Hess:
> Jérémy Bobbio wrote:
> > Joey Hess:
> > > My other idea is to make dh_fixmtimes set something that a later command
> > > (eg, dh_builddeb) could use and warn if it was not run.
> > 
> > Maybe it should be integrated to dh_builddeb, then?
> 
> I don't think it belongs in dh_builddeb directly.

Unfortunately, while trying to understand why r-cran-gbm was not
building reproducibly [1], I noticed that there might be a compelling
reason to merge dh_fixmtimes in dh_builddeb.

When DH_ALWAYS_EXCLUDE is specified, dh_builddeb might delete files.
When this happens, parent directories get their mtime updated, reverting
dh_fixmtimes work.

So the ideal moment to set deterministic mtimes is after that pass.
Which means integrating the find+xargs+touch in dh_builddeb…

 [1]: https://jenkins.debian.net/userContent/dbd/r-cran-gbm_2.1-1.debbindiff.html

-- 
Lunar                                .''`. 
lunar@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 759886@bugs.debian.org (full text, mbox, reply):

From: "Bernhard R. Link" <brlink@debian.org>

To: Jérémy Bobbio <lunar@debian.org>

Cc: 759886@bugs.debian.org

Subject: Re: [debhelper-devel] Bug#759886: debhelper: please make mtimes of packaged files deterministic

Date: Mon, 29 Dec 2014 11:41:50 +0100

* Jérémy Bobbio <lunar@debian.org> [141228 22:06]:
> Joey Hess:
> > Jérémy Bobbio wrote:
> > > Joey Hess:
> > > > My other idea is to make dh_fixmtimes set something that a later command
> > > > (eg, dh_builddeb) could use and warn if it was not run.
> > > 
> > > Maybe it should be integrated to dh_builddeb, then?
> > 
> > I don't think it belongs in dh_builddeb directly.
> 
> Unfortunately, while trying to understand why r-cran-gbm was not
> building reproducibly [1], I noticed that there might be a compelling
> reason to merge dh_fixmtimes in dh_builddeb.
> 
> When DH_ALWAYS_EXCLUDE is specified, dh_builddeb might delete files.
> When this happens, parent directories get their mtime updated, reverting
> dh_fixmtimes work.
> 
> So the ideal moment to set deterministic mtimes is after that pass.
> Which means integrating the find+xargs+touch in dh_builddeb…

May I suggest to just duplicate the DH_ALWAYS_EXCLUDE handling in
dh_fixmtimes for the time being?

If they are already removed then dh_builddeb should not do any new harm
and this way you keep more control over dh_fixmtimes so there is less
chances debhelper will ship outdated code.

Those two can then still later be merged if that still looks sensible
then.

	Bernhard R. Link
-- 
F8AC 04D5 0B9B 064B 3383  C3DA AFFC 96D1 151D FFDC

Message #46 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Jérémy Bobbio <lunar@debian.org>

To: "Bernhard R. Link" <brlink@debian.org>

Cc: 759886@bugs.debian.org

Subject: Re: [debhelper-devel] Bug#759886: debhelper: please make mtimes of packaged files deterministic

Date: Thu, 1 Jan 2015 00:18:17 +0100

[Message part 1 (text/plain, inline)]

Bernhard R. Link:
> May I suggest to just duplicate the DH_ALWAYS_EXCLUDE handling in
> dh_fixmtimes for the time being?
> 
> If they are already removed then dh_builddeb should not do any new harm
> and this way you keep more control over dh_fixmtimes so there is less
> chances debhelper will ship outdated code.
> 
> Those two can then still later be merged if that still looks sensible
> then.

That's a good suggestion, thanks! :)

But I'd like to experiment with fixing mtimes in dh_builddeb first.
There's a chance we can get thousands more package building reproducibly
without having to change them… which would be a pretty compelling
argument.

-- 
Lunar                                .''`. 
lunar@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Jérémy Bobbio <lunar@debian.org>

To: 759886@bugs.debian.org

Subject: Re: Bug#759886: debhelper: please make mtimes of packaged files deterministic

Date: Mon, 12 Oct 2015 16:35:02 +0200

[Message part 1 (text/plain, inline)]

Lunar:
> The attached patch will add a new helper `dh_fixmtimes`, largely
> inspired by `dh_fixperms`, that will change the modification time of any
> file that has been created later than the time of the latest
> debian/changelog entry to the time of the latest debian/changelog entry.

A quick update on where we stand, more than a year after the original
patch. (*time flies*)

The experimental toolchain used to test package reproducibility [1]
currently adjust mtimes in `dh_builddeb`. There was several concerns
with this approach.

Meanwhile, a patch has been written adding an option to get a similar
behavior when using GNU Tar to create an archive (#790415). The patch is
in Debian since tar/1.28-1 (although more discussions with upstream
seem to be required).

Using this new `--clamp-mtime` option, it becomes very simple to adjust
mtimes directly in `dpkg-deb`. This would be even better than changing
debhelper.

In any cases, in the future, dpkg maintainers wish to replace usage of
GNU Tar by creating the archive using internal code. This would also
make it easy to solve the problem there.

I wonder if that means it's time to reassign to dpkg-dev.

 [1]: https://wiki.debian.org/ReproducibleBuilds/ExperimentalToolchain

-- 
Lunar                                .''`. 
lunar@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   

[signature.asc (application/pgp-signature, inline)]

Message #62 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Jérémy Bobbio <lunar@debian.org>

To: 759886@bugs.debian.org, 759999@bugs.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>

Cc: reproducible-builds@lists.alioth.debian.org

Subject: dpkg-dev: please make mtimes of packaged files deterministic

Date: Fri, 15 Jan 2016 22:28:12 +0100

[Message part 1 (text/plain, inline)]

reassign 759886 dpkg-dev
retitle 759886 dpkg-dev: please make mtimes of packaged files deterministic
thanks

Hi!

The attached patch series is an attempt to make the mtimes of packaged
files deterministic. It is taken from the `pu/reproducible_builds`
dpkg branch maintained by the “reproducible builds” folks [1].

The first two patches introduce the idea of a canonical build timestamp
that will be used throughout dpkg-deb.

The first patch will make use of this timestamp to set the mtime in ar
headers (that's #759999). All headers will thus get the same timestamp
instead of recording the current time as they are added.

The second patch will use the --mtime and --clamp-mtime option of tar to
clamp the mtime of files recorded in control.tar and data.tar to the
build timestamp: files created at a later time will see their mtime
set to the build timestamp (that's #759886). As --clamp-mtime is only
available since tar/1.28-1 and has not yet been merged upstream,
dpkg-deb will first look for its availability by looking for the option
in the output of “tar --help”. If it's not available, it will fallback
to the previous behavior.

The third patch adds the ability to set the aforementioned build
timestamp using the SOURCE_DATE_EPOCH environment variable [2].

The forth patch changes dpkg-buildpackage to set SOURCE_DATE_EPOCH to
the time of the latest debian/changelog entry if it hasn't been already
set, effectively making the timestamps recorded by dpkg-deb in the most
common build process deterministic.

 [1]: https://anonscm.debian.org/cgit/reproducible/dpkg.git/log/?h=pu/reproducible_builds
 [2]: https://reproducible-builds.org/specs/source-date-epoch/

-- 
Lunar                                .''`. 
lunar@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   

[0001-dpkg-deb-Use-a-single-timestamp-for-ar-headers-when-.patch (text/x-diff, attachment)]

[0002-dpkg-deb-Use-the-common-build-timestamp-for-all-file.patch (text/x-diff, attachment)]

[0003-dpkg-deb-Allow-to-set-the-build-timestamp-using-SOUR.patch (text/x-diff, attachment)]

[0004-dpkg-buildpackage-Preset-build-timestamp-to-latest-c.patch (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #73 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 759886@bugs.debian.org, 759999@bugs.debian.org, Dpkg Developers <debian-dpkg@lists.debian.org>, reproducible-builds@lists.alioth.debian.org

Subject: Re: Bug#759999: dpkg-dev: please make mtimes of packaged files deterministic

Date: Mon, 18 Jan 2016 02:19:47 +0100

Hi!

On Fri, 2016-01-15 at 22:28:12 +0100, Jérémy Bobbio wrote:
> reassign 759886 dpkg-dev
> retitle 759886 dpkg-dev: please make mtimes of packaged files deterministic
> thanks

Thanks for the patches!

> The second patch will use the --mtime and --clamp-mtime option of tar to
> clamp the mtime of files recorded in control.tar and data.tar to the
> build timestamp: files created at a later time will see their mtime
> set to the build timestamp (that's #759886). As --clamp-mtime is only
> available since tar/1.28-1 and has not yet been merged upstream,
> dpkg-deb will first look for its availability by looking for the option
> in the output of “tar --help”. If it's not available, it will fallback
> to the previous behavior.

The --clamp-mtime options looks primising, but I'm not happy about its
current situation. Please get this upstreamed first. I don't mind making
dpkg depend on an extremely recent GNU tar, but I really don't want to
use a Debian specific option like this, as it could change semantics,
etc. And I don't like parsing --help output at all. I still have to fix
the situation with dpkg-source using the Debian specifi gzip --rsyncable
option, for example. :(

Thanks,
Guillem

Message #80 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: 759886@bugs.debian.org

Subject: [patch #8925] Support --clamp-mtime for binary reproducibility]

Date: Tue, 29 Mar 2016 21:03:38 -0400

[Message part 1 (text/plain, inline)]

Hi Guillem,

FYI, GNU tar's upstream has accepted our patch! :-)


cheers,
	Holger

----- Forwarded message from Sergey Poznyakoff <INVALID.NOREPLY@gnu.org> -----

Date: Thu, 24 Mar 2016 05:33:34 +0000
From: Sergey Poznyakoff <INVALID.NOREPLY@gnu.org>
To: Sergey Poznyakoff <gray@gnu.org.ua>, Ximin Luo <infinity0@pwned.gg>, 816072@bugs.debian.org, gray@gnu.org
Subject: [patch #8925] Support --clamp-mtime for binary reproducibility
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:36.0) Gecko/20100101 Firefox/36.0

Update of patch #8925 (project tar):

                  Status:                    None => Done                   
             Assigned to:                    None => gray                   

    _______________________________________________________

Follow-up Comment #1:

The patch is incorporated into Git repository (commit
13d04fe6ae5a343415299359944382f7a6d37816). It will appear in the next stable
release of GNU tar (v.1.29). Thank you!

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/patch/?8925>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/



----- End forwarded message -----

[signature.asc (application/pgp-signature, inline)]

Message #85 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: Holger Levsen <holger@layer-acht.org>, 759886@bugs.debian.org

Subject: Re: Bug#759886: [patch #8925] Support --clamp-mtime for binary reproducibility]

Date: Wed, 30 Mar 2016 10:32:08 +0200

Hi!

On Tue, 2016-03-29 at 21:03:38 -0400, Holger Levsen wrote:
> FYI, GNU tar's upstream has accepted our patch! :-)

Yes, I was notified on IRC, and also saw your private mail. :) In any
case there's not been a release yet AFAIK. Given that upstream said
that would happen in 7-10 days, I'll wait before commiting any change,
so that dpkg depends on released features that other downstreams can
use. And in any case there's still few things I want to wrap up before
the next dpkg release so that should give enough time.

Thanks,
Guillem

Message #90 received at 759886@bugs.debian.org (full text, mbox, reply):

From: Holger Levsen <holger@layer-acht.org>

To: Guillem Jover <guillem@debian.org>

Cc: 759886@bugs.debian.org

Subject: Re: Bug#759886: [patch #8925] Support --clamp-mtime for binary reproducibility]

Date: Wed, 30 Mar 2016 10:19:05 -0400

[Message part 1 (text/plain, inline)]

Hey!

On Wed, Mar 30, 2016 at 10:32:08AM +0200, Guillem Jover wrote:
> Yes, I was notified on IRC, and also saw your private mail. :) 

hehe, lol. Too much travelling and a new mail client… so I forgot :)

but then, it's also good to have that in the BTS, as a matter of proper
workflows… 

> In any
> case there's not been a release yet AFAIK. Given that upstream said
> that would happen in 7-10 days, I'll wait before commiting any change,
> so that dpkg depends on released features that other downstreams can
> use. And in any case there's still few things I want to wrap up before
> the next dpkg release so that should give enough time.

cool! very :) +thanks for the update…!


-- 
cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Message #93 received at 759886-submitter@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 759886-submitter@bugs.debian.org

Subject: Bug#759886 in package dpkg marked as pending

Date: Sun, 03 Jul 2016 21:29:24 +0000

Control: tag 759886 pending

Hi!

Bug #759886 in package dpkg reported by you has been fixed in
the dpkg/dpkg.git Git repository. You can see the changelog below, and
you can check the diff of the fix at:

    https://anonscm.debian.org/cgit/dpkg/dpkg.git/diff/?id=62a6382

---
commit 62a638211c0c03ab2eefb59b5c613115007da1b3
Author: Guillem Jover <guillem@debian.org>
Date:   Wed May 18 01:54:35 2016 +0200

    dpkg-deb: Use new GNU tar --clamp-mtime option
    
    This will guarantee that no file in binary packages has an mtime later
    than the specified time. Which will be required to make binary packages
    reproducible.
    
    The option was officially added in GNU tar 1.29, but in Debian it was
    introduced as a vendor patch in 1.28, so on Debian we depend on the
    latter instead of the former version.
    
    Closes: #759886

diff --git a/debian/changelog b/debian/changelog
index 57d3756..d3e5577 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -27,6 +27,8 @@ dpkg (1.18.8) UNRELEASED; urgency=medium
     was obviously wrong. Reported by Helmut Grohne <helmut@subdivi.de>.
   * Fix strtol() errno check when parsing the COLUMNS envvar in dpkg-query.
     Thanks to Sven Joachim <svenjoac@gmx.de>. Closes: #827265
+  * Use new GNU tar --clamp-mtime option in dpkg-deb to make sure no file in
+    binary packages has an mtime later than the given time. Closes: #759886
   * Perl modules:
     - Use warnings::warnif() instead of carp() for deprecated warnings.
     - Add new format_range() method and deprecate dpkg() and rfc822() methods

Message #100 received at 759886-close@bugs.debian.org (full text, mbox, reply):

From: Guillem Jover <guillem@debian.org>

To: 759886-close@bugs.debian.org

Subject: Bug#759886: fixed in dpkg 1.18.8

Date: Sun, 03 Jul 2016 22:41:47 +0000

Source: dpkg
Source-Version: 1.18.8

We believe that the bug you reported is fixed in the latest version of
dpkg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 759886@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Guillem Jover <guillem@debian.org> (supplier of updated dpkg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 03 Jul 2016 19:01:56 +0200
Source: dpkg
Binary: libdpkg-dev dpkg dpkg-dev libdpkg-perl dselect
Architecture: source
Version: 1.18.8
Distribution: unstable
Urgency: medium
Maintainer: Dpkg Developers <debian-dpkg@lists.debian.org>
Changed-By: Guillem Jover <guillem@debian.org>
Description:
 dpkg       - Debian package management system
 dpkg-dev   - Debian package development tools
 dselect    - Debian package management front-end
 libdpkg-dev - Debian package management static library
 libdpkg-perl - Dpkg perl modules
Closes: 539692 745366 759886 759999 765494 779559 823167 823805 823877 824515 824542 824572 824873 824938 826161 826334 827265 827628 827633 828146
Changes:
 dpkg (1.18.8) unstable; urgency=medium
 .
   [ Guillem Jover ]
   * Do not disable PIE buildflags on */kFreeBSD anymore. Closes: #823877
     Thanks to Steven Chamberlain <steven@pyro.eu.org>.
   * Add new long options in dpkg-buildpackage for any short option that is
     a useful configurable candidate.
   * Add configuration file support to dpkg-buildpackage, as buildpackage.conf
     under either the dpkg system or user configuration directories.
     Closes: #539692, #765494
   * Check that debian/tests/control is a regular file before parsing it.
   * Generate Testsuite-Triggers field from test dependencies in dpkg-source
     into .dsc files. Based on a patch by Martin Pitt <martin.pitt@ubuntu.com>.
     Closes: #779559
   * Add new dpkg-source --no-overwrite-dir extraction option. Closes: #826334
   * Fix number of entries computation returned by sysctl() on */kFreeBSD in
     start-stop-daemon.
   * Set return buffer length for sysctl(2) calls on */kFreeBSD in
     start-stop-daemon.
   * Abstract ar archive handling behind a new struct dpkg_ar and functions.
   * On dpkg --force-chrootless only set changedir to instdir if defined.
     Thanks to Niall Walsh <niallwalsh@celtux.org>. Closes: #824542
   * Set primary group to 0 in dpkg when running as root.
     Reported by Stuart Prescott <stuart@debian.org>.
   * Activate file triggers for conffiles on purge, which has never happened
     before. Before dpkg 1.17.0, conffiles were triggered on removal, which
     was obviously wrong. Reported by Helmut Grohne <helmut@subdivi.de>.
   * Fix strtol() errno check when parsing the COLUMNS envvar in dpkg-query.
     Thanks to Sven Joachim <svenjoac@gmx.de>. Closes: #827265
   * Use new GNU tar --clamp-mtime option in dpkg-deb to make sure no file in
     binary packages has an mtime later than the given time. Closes: #759886
   * Use the same timestamp for the ar container as for tarball mtime clamping
     in dpkg-deb.
   * Set ar timestamp and tar mtime clamping to SOURCE_DATE_EPOCH if defined
     in dpkg-deb. Base on a patch by Jérémy Bobbio <lunar@debian.org>.
   * Preset build timestamp to latest changelog entry in dpkg-buildpackage,
     by setting SOURCE_DATE_EPOCH environment variable if it is not already
     defined. Based on a patch by Jérémy Bobbio <lunar@debian.org>.
     Closes: #759999
   * Do not use the debian/rules build target fallback when building both
     architecture independent and dependent packages in dpkg-buipdpackage.
   * Use architecture «all» as part of the .changes filename when building
     architecture independent binaries and no architecture dependent binaries.
     Closes: #826161
   * Do not emit warnings from dpkg-genchanges for automatic debug symbol
     packages that are not found in debian/control.
   * Export SOURCE_DATE_EPOCH from pkg-info.mk makefile snippet.
     Closes: #824572
   * Architecture support:
     - Add TILE-Gx support to cputable. Closes: #823167
       Thanks to Helmut Grohne <helmut@subdivi.de>.
   * Perl modules:
     - Use warnings::warnif() instead of carp() for deprecated warnings.
     - Add new format_range() method and deprecate dpkg() and rfc822() methods
       in Dpkg::Changelog.
     - Replace changelog program parsers with perl modules.
     - Add a getter for the Time::Piece object in Dpkg::Changelog.
     - Add new Timestamp field to Dpkg::Changelog output, which ends up on
       dpkg-parsechangelog's output.
     - Validate source version in set_version_substvars()'s Dpkg::Substvars
       method.
     - Revert "Dpkg::Conf: Switch implementation to be hash based", as this
       change broke backwards compatibility in multiple ways. The format_argv
       option was set by default, the order was not preserved, which was
       important for dpkg.cfg files, and duplicate option names stopped being
       supported. Add regression tests to avoid similar changes in the future.
       Closes: #824938
     - Add support for system and user config loading in Dpkg::Conf.
     - Add support for autopkgtest control files, with new CTRL_TESTS control
       type, new recognized fields to Dpkg::Control::Fields, and new modules
       Dpkg::Control::Tests and Dpkg::Control::Tests::Entry. Also update
       Dpkg::Index to support these.
     - Fix Dpkg::Deps so that architecture qualifiers only imply one another
       if they are the same. Closes: #745366, #827628
     - Add support for new environment variable DEB_BUILD_PATH to be able to
       control the path in the fixdebugpath feature in Dpkg::Vendor::Debian.
     - Preserve order when prepending shared library paths in Dpkg::Shlibs.
       This fixes the order of paths passed via dpkg-shlibdeps -l option.
       Closes: #823805
     - Check whether dependency restrictions are implied in Dpkg::Deps::Simple.
       Thanks to Ben Hutchings <ben@decadent.org.uk>. Closes: #827633
     - Disable upstream tar signature when building format 1.0 source packages
       in Dpkg::Source::Package::V1, as the current stable dpkg series do not
       support extracting them.
     - Preset Last-Update field in patch header template with current time in
       Dpkg::Source::Package::V2. Thanks to Daniel Shahaf <danielsh@apache.org>.
       Closes: #828146
   * Packaging:
     - Disable libmd usage in Debian and derivatives for now.
   * Build system:
     - Stop allowing to set deprecated bzip2 compressor as dpkg-deb default.
     - Use libmd automatically if available.
     - Uniformize library build options, from --with-zlib to --with-libz,
       --with-bz2 to --with-libbz2 and --with-selinux to --with-libselinux.
   * Test suite:
     - Bump perlcritic ValuesAndExpressions::RequireNumberSeparators minimum
       to 99999.
     - Add new pod-spell unit test.
     - Refactor common unit test checks for needed things into Test::Dpkg.
     - Accept perl's Lancaster Consensus AUTHOR_TESTING variable.
     - Add new minimum perl version unit test.
     - Add new synopsis unit test.
     - Add unit tests for dependency simplification with build profiles.
   * Documentation:
     - Improve dpkg-buildpackage(1) on environment expectations.
     - Clarify the format of the db:Status-Abbrev virtual field in
       dpkg-query(1). Closes: #824515
     - Document the tar entry size limitation for deb(5) format.
     - Document interaction between PIE and libraries in dpkg-buildflags(1).
       Based on text by Christian Seiler <christian@iwakd.de>.
     - Merge ENVIRONMENT sections in dpkg-buildflags(1).
     - Document various long options in dpkg-source --help output.
     - Move dpkg-source -q option from “Build options” to “General options”
       section in --help output.
     - Clarify shared library search order in dpkg-shlibdeps(1).
     - Remove most remaining AUTHOR sections from man an POD, as they are
       strongly discouraged, for being redundant, tending to get out-of-sync,
       and their format being inconsistent. In addition most got already
       removed in the past for the man pages.
     - Mark perlcritic as an optional author test dependency in the README.
     - Fix example code in Dpkg::Compression::FileHandle SYNOPSIS.
 .
   [ Updated programs translations ]
   * German (Sven Joachim).
   * Simplified Chinese (Zhou Mo). Closes: #824873
 .
   [ Updated scripts translations ]
   * German (Helge Kreutzmann).
 .
   [ Updated manpages translations ]
   * German (Helge Kreutzmann).
Checksums-Sha1:
 1976784ae227d550c4741ec17f4d747cf980cb48 2026 dpkg_1.18.8.dsc
 ecc3973037b85e6c7bc89928d7aa83ce6f13ec23 4633168 dpkg_1.18.8.tar.xz
Checksums-Sha256:
 965e50539d337897a74dd77ea9e66d2baec917ec6e089bc442320e7706abee5f 2026 dpkg_1.18.8.dsc
 0b5562578a46d5c54fe77c262cd0a13ad13f4ff4bda8ccc285757ad37a3f65b7 4633168 dpkg_1.18.8.tar.xz
Files:
 14737307588416c1747e78fbb69f379f 2026 admin required dpkg_1.18.8.dsc
 4729a5a9cd3755c0adf37e95e22f482e 4633168 admin required dpkg_1.18.8.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXeXQCAAoJELlyvz6krlejIw8P/3dpr/kyAcHZtTyjiBIXeJSE
aZK4U8kR1W5R4/CydUQdxd6kanbvJxx+9ceDlViev4ndtmTz3QvQdejN9Knjt8OU
CZ4yPJhP5HHWE0kzI+sFhMeC6eK+ck2OD1U4Xthtkq/sKSEmowN7mJ64uvvScF5w
XXreI3qWCywl6zdiXyu+M+O6PlRoTjSBXO3F0XKPNub7X9j1wNyfAFbzd3UGhEAc
sBh5GMLIGjY+clmXjvbngNJhWszuV2TFcbIDDDZAi4axkE62hI99VQZfKWm+96ck
fXpimwavrTc2fje+9lLMupQ7FIFWCHTUV/JKdDA4qc4S8THhC7qIoGsEl/Hhg+Gr
8LeDwaMuuOliubK3vCP1Ksk5B+pNM8hgJyQ2Cc88a9FZttSeTSG1EtjN3Wh1g1MS
J1Ul3ZRJCzPwrgBGZXN7i9GGNxlh1JXGR/Bn4NZW1fLtOyfK16AKIC7erkQWAgan
HknHiuwpDljb6SxDscFeXIsl14JTS13iA3SVSLdb7CrY/KCfrQwq6XbItCfXb2EN
Ipg6aC5gIRJKfpq6FzJUztzBmkWFCeG5GqBZeKW0f5zct5W3tPWu7kazxjx0tg5J
D9hPFFFuxxdPPq5fbweA1lZuV3saPLcFAfuUB7adoN1urOL5QUoZysdSPUVCZGoM
mRF6sfICJS+WUQWoAibk
=jAm3
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.