Debian Bug report logs - #791823
debhelper: set SOURCE_DATE_EPOCH env var for reproducible builds

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dhole <dhole@openmailbox.org>

To: submit@bugs.debian.org, reproducible-builds@lists.alioth.debian.org

Subject: debhelper: set SOURCE_DATE_EPOCH env var for reproducible builds

Date: Wed, 08 Jul 2015 19:48:07 +0200

[Message part 1 (text/plain, inline)]

Source: debhelper
Version: 9.20150628
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: toolchain timestamps

Hi!

While working on the “reproducible builds” effort [1] we have a proposal
of using deterministic timestamps [2] (based on the latest
debian/changelog entry) which is to be set in the environment variable
SOURCE_DATE_EPOCH.

The attached patch makes debhelper export the SOURCE_DATE_EPOCH env
variable during the execution with the latest debian/changelog entry
timestamp, so that packages running during the build process can read it
and replace localtime date/times calls with the exported timestamp in
order to have reproducible builds.

Also, in order to help reproducible builds, a fixed timezone is exported
(TZ=UTC).

 [1]: https://wiki.debian.org/ReproducibleBuilds
 [2]: https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal

Regards,
-- 
Dhole

[debhelper.diff.txt (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #18 received at 791823@bugs.debian.org (full text, mbox, reply):

From: Jérémy Bobbio <lunar@debian.org>

To: 791823@bugs.debian.org

Cc: reproducible-builds@lists.alioth.debian.org

Subject: Re: Bug#791823: debhelper: set SOURCE_DATE_EPOCH env var for reproducible builds

Date: Sun, 12 Jul 2015 12:03:00 +0200

[Message part 1 (text/plain, inline)]

Hi!

Dhole:
> Also, in order to help reproducible builds, a fixed timezone is exported
> (TZ=UTC).

I am not convinced this change is a good idea. While reviewing new uploads
to the Debian archive, I have at least spotted these lines in
exim4/4.86~RC4-1 changelog [1]:

>   * unexport/undefine TZ in debian/rules for reproducible build. It
>     would be used as default value for TIMEZONE_DEFAULT.

The `TZ` environment variable is not usually set in a build environment.
It is a reproducibility problem if a package produce different binaries
when it is, but that's all. I am afraid that some packages, like exim4,
would silently start behaving differently if we set `TZ` in debhelper.

If we don't set the variable in debhelper, we can use the
reproducibility tests to spot packages who are building differently
depending on the timezone or the value of TZ and propose fixes to
maintainers. This enables them to review their impact. It is indeed more
work, but it's less likely to unknowingly introduce any weird behavior.

 [1]: https://tracker.debian.org/news/694090

-- 
Lunar                                .''`. 
lunar@debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
                                      `-   

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 791823@bugs.debian.org (full text, mbox, reply):

From: Ximin Luo <infinity0@pwned.gg>

To: 791823@bugs.debian.org, reproducible-builds@lists.alioth.debian.org

Subject: Re: [Reproducible-builds] Bug#791823: debhelper: set SOURCE_DATE_EPOCH env var for reproducible builds

Date: Mon, 20 Jul 2015 10:45:24 +0200

[Message part 1 (text/plain, inline)]

On 12/07/15 12:03, Jérémy Bobbio wrote:
> Hi!
> 
> Dhole:
>> Also, in order to help reproducible builds, a fixed timezone is exported
>> (TZ=UTC).
> 
> I am not convinced this change is a good idea. While reviewing new uploads
> to the Debian archive, I have at least spotted these lines in
> exim4/4.86~RC4-1 changelog [1]:
> 
>>   * unexport/undefine TZ in debian/rules for reproducible build. It
>>     would be used as default value for TIMEZONE_DEFAULT.
> 
> The `TZ` environment variable is not usually set in a build environment.
> It is a reproducibility problem if a package produce different binaries
> when it is, but that's all. I am afraid that some packages, like exim4,
> would silently start behaving differently if we set `TZ` in debhelper.
> 
> If we don't set the variable in debhelper, we can use the
> reproducibility tests to spot packages who are building differently
> depending on the timezone or the value of TZ and propose fixes to
> maintainers. This enables them to review their impact. It is indeed more
> work, but it's less likely to unknowingly introduce any weird behavior.
> 
>  [1]: https://tracker.debian.org/news/694090
> 

I also had some reservations about setting TZ in this way, but wasn't quite sure how to express it. But here's a more general, abstract version of the scenario Lunar pointed out.

- Imagine that upstream thinks it's reasonable to e.g. generate certain locale data based on the TZ variable at build time.
- Setting TZ=UTC would make the build appear "reproducible", and the package maintainer may not even realise that there's something missing, especially if this locales thing is buried deep in the build scripts.
- The correct solution would be for upstream to generate such data for all TZs. For sure, setting TZ=UTC would not interfere with this fix, but it makes such issues harder to detect.

I suggest we drop this particular aspect from this patch and just focus on SOURCE_DATE_EPOCH instead.

X

-- 
GPG: 4096R/1318EFAC5FBBDBCE
git://github.com/infinity0/pubkeys.git

[signature.asc (application/pgp-signature, attachment)]

Message #39 received at 791823-close@bugs.debian.org (full text, mbox, reply):

From: Niels Thykier <niels@thykier.net>

To: 791823-close@bugs.debian.org

Subject: Bug#791823: fixed in debhelper 9.20151004

Date: Sun, 04 Oct 2015 16:04:41 +0000

Source: debhelper
Source-Version: 9.20151004

We believe that the bug you reported is fixed in the latest version of
debhelper, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 791823@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Niels Thykier <niels@thykier.net> (supplier of updated debhelper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 04 Oct 2015 17:34:16 +0200
Source: debhelper
Binary: debhelper
Architecture: source all
Version: 9.20151004
Distribution: unstable
Urgency: medium
Maintainer: Debhelper Maintainers <debhelper-devel@lists.alioth.debian.org>
Changed-By: Niels Thykier <niels@thykier.net>
Description:
 debhelper  - helper programs for debian/rules
Closes: 436240 516721 595097 672282 677353 698054 719148 748993 759895 776103 790820 791823 794396 794898 795193 795519 797002 797904 798116 800332
Changes:
 debhelper (9.20151004) unstable; urgency=medium
 .
   [ Niels Thykier ]
   * dh/dh_auto_*: Apply patch from Eduard Sanou to define
     SOURCE_DATE_EPOCH.  (Closes: #791823)
   * cmake.pm: Add better cross-compile support for cmake.
     Heavily based on a patch from Helmut Grohne.
     (Closes: #794396)
   * cmake.pm: Pass -DCMAKE_INSTALL_SYSCONFDIR=/etc and
     -DCMAKE_INSTALL_LOCALSTATEDIR=/var to cmake.  Thanks to
     Felix Geyer, Lisandro Damián Nicanor Pérez Meyer and
     Michael Terry for the assistance plus suggestions.
     (Closes: #719148)
   * dh_installinit: Quote directory name before using it in
     a regex.
   * dh_installinit: Create script snippts for tmpfiles.d
     files even if the package has no sysvinit script or
     explicit debian/<package>.service file.
     (Closes: #795519)
   * dh_makeshlibs: Revert passing -X to ldconfig in compat 10
     after talking with the glibc maintainer.  This is not the
     right place to make this change.
   * d/control: Remove the homepage field.
   * dh: Make dh_strip_nondeterminism optional, so debhelper
     does not need to build-depend on it.
   * dh_gencontrol/dh_builddeb: Temporarily stop building ddebs
     for udebs as dpkg-gencontrol and dpkg-deb does not agree
     the default file extension for these.
   * dh_builddeb: Generate udebs with the correct filename even
     when "-V" is passed to dpkg-gencontrol.  This relies on
     dpkg-deb getting everything but the extension correct
     (see #575059, #452273 for why it does not produce the
      correct extesion).
     (Closes: #516721, #677353, #672282)
   * Dh_Lib.pm: Drop now unused "udeb_filename" subroutine.
   * dh_strip.1: Correct the documentation about ddebs to
     reflect the current implementation (rather than the
     desired "state").  Thanks to Jakub Wilk for the report.
     (Closes: #797002)
   * dh_fixperms: Reset permissions to 0644 for .js, .css,
     .jpeg, .jpg, .png, and .gif files.  Thanks to Ernesto
     Hernández-Novich for the suggestion.  (Closes: #595097)
   * dh_install: Read debian/not-installed if present as a
     list of files that are deliberately not installed.
     Files listed here will not cause dh_install to complain
     with --list-missing.  Thanks to Peter Eisentraut for the
     suggestion.  (Closes: #436240)
   * Dh_Lib: Cherry-pick patch from Chris Lamb to only read
     the latest changelog entry when determing the
     SOURCE_DATE_EPOCH.
   * debhelper.7: Provide a better example of how to insert
     the debhelper maintainer script snippets into a maintainer
     script written in Perl.  Thanks to Jakub Wilk for
     reporting the issues.  (Closes: #797904)
   * dh_shlibdeps: The "-L" option can now be passed multiple
     times with different package names.  Thanks to Tristan
     Schmelcher for the suggestion.  (Closes: #776103)
   * dh,Buildsytems: In compat 10, default to --parallel.
   * dh,Buildsytems: Accept "--no-parallel" to disable
     parallel builds.  It is effectively the same as using
     --max-parallel=1 but may be more intuitive to some people.
   * dh_makeshlibs: Use a noawait trigger to invoke ldconfig
     rather maintscripts.
   * dh_installdirs.1: Add a note that many packages will work
     fine without calling dh_installdirs.  (Closes: #748993)
   * dh_compress: Apply patch from Rafael Kitover to support
     passing files to dh_compress that would have been
     compressed anyway.  (Closes: #794898)
   * Dh_Lib: Apply patch from Gergely Nagy to make debhelper
     export "DH_CONFIG_ACT_ON_PACKAGES" when executing an
     executable debhelper config file.  This is intended to
     assist dh-exec (etc.) in figuring what packages are
     acted on.  (Closes: #698054)
   * dh_movefiles: Expand globs in arguments passed in all
     compat levels (and not just compat 1 and 2).
     (Closes: #800332)
   * dh_installinit: Clearly document that --onlyscripts
     should generally be used with -p (or similar) to limit
     the number of affected packages.  (Closes: #795193)
 .
   [ Paul Tagliamonte ]
   * dh_gencontrol: Put debug debs back in the "debug" section.
   * dh_strip/dh_gencontrol: Add a space separated list of
     build-ids in the control file of packages containing
     deattached debug symbols.
 .
   [ Andrew Ayer ]
   * d/control: Depend on dh-strip-nondeterminism
   * dh: Call dh_strip_nondeterminism during build.
     (Closes: #759895)
 .
   [ Colin Watson ]
   * Buildsystem.pm: Fix doit_in_sourcedir/doit_in_builddir to
     always chdir back to the original directory even if the
     subprocess exits non-zero.  (Closes: #798116)
 .
   [ Translations ]
   * Update Portuguese translation (Américo Monteiro)
     (Closes: #790820)
Checksums-Sha1:
 3c04d9dcef8512a6fab61d5c443a2074f20e4051 1703 debhelper_9.20151004.dsc
 998b38f5a0ff1a151cd3c9e6d7c1833634e978af 325348 debhelper_9.20151004.tar.xz
 ccced65fb35852d677abbbcbd3e8aa17fa42c7b9 817274 debhelper_9.20151004_all.deb
Checksums-Sha256:
 ddbc65fa1e7bd24c0268ff95e568f178419cdb2eabde4fd4f0b0d139d9d48a31 1703 debhelper_9.20151004.dsc
 e8c32712db58ac0764e8c83a324a7a519a58a33a6c9ba86f1ca0ac171213f21f 325348 debhelper_9.20151004.tar.xz
 ca395ec3d0c679072482b06cf76a5f40d4a3d0651247db81a8d5bb28e3d5ae2c 817274 debhelper_9.20151004_all.deb
Files:
 b3bf096f885c4b974d2d026fa2338269 1703 devel optional debhelper_9.20151004.dsc
 e46521506d9bc4637aa60c9509b77d85 325348 devel optional debhelper_9.20151004.tar.xz
 dda5739247801593dab967c562446549 817274 devel optional debhelper_9.20151004_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWEUi+AAoJEAVLu599gGRCv+4QAJwvL3Em4cyBQhHtPtCc3eLd
q2MHOQ2q/sBi8MIfxoX+sYtv1VmMewKH+fgYKFUTzFaslx9p6hLhoddAGOsjonPS
jkW35fUo04jtdJ/mamuDFWWwMZpuzv0yVb4qT3ONWJ14oEFb8M/9f4VJc7KCXaKz
C3tmWP1duTbGulv2qb8nVP85diBJ8Zo5avVmUkRA4PLDYFKOFh8jd4texBvPM8/d
fbp9I2oO/iCGSJHrGgkphb4jTz3Y2yYxjbIMwsWSeWMkxIrQCncxEmA8wHgMrBoI
ra3mzyDR8xkW3xurH3C5EQ1TqL783rEwIR/m1The2P0bijW0mQA9Z2ZVc921neKo
Kepx1v0VIG0j3cBEMXV0ndlcbe6lcICWzwqFoAznOt5l+s+BVWgYDS7KnFUkQSZN
6lHWRchvh9z7GLrcx05VtzAOYHuuSjmPkqAVgNY7oGWIvjpU81VHG+gN7yDMIyRc
nvrKpLtorh0rEI4RqCbaUm318UMpGxfBrmOipXlgRPqYcYef+ELX1l1yb9IF3NjN
Peu+cJCPbtEd7MTVm1YxwPZRoprpa1bWHPDwa2rIMZlqAaAUEmrIedtlGMHpzEYg
D44vvOGlot33YbbgtdnsfYkBdsgfnPF8aMmWZnrU8NDuoa0xHgMYJhLQ1L9ZOFqZ
xiOeQ+fCcS43lvbrlWg5
=Nclf
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.