Debian Bug report logs - #797211
apt-dater: incorrect usage of SOURCE_DATE_EPOCH renders package unreproducible

version graph

Package: src:apt-dater; Maintainer for src:apt-dater is Patrick Matthäi <pmatthaei@debian.org>;

Reported by: Chris Lamb <lamby@debian.org>

Date: Fri, 28 Aug 2015 15:30:06 UTC

Severity: wishlist

Tags: patch

Found in version apt-dater/1.0.2-1

Fixed in version apt-dater/1.0.3-1

Done: Patrick Matthäi <pmatthaei@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-builds@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>:
Bug#797211; Package src:apt-dater. (Fri, 28 Aug 2015 15:30:10 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb <lamby@debian.org>:
New Bug report received and forwarded. Copy sent to reproducible-builds@lists.alioth.debian.org, Patrick Matthäi <pmatthaei@debian.org>. (Fri, 28 Aug 2015 15:30:10 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>
To: submit@bugs.debian.org
Subject: apt-dater: incorrect usage of SOURCE_DATE_EPOCH renders package unreproducible
Date: Fri, 28 Aug 2015 17:29:06 +0200
[Message part 1 (text/plain, inline)]
Source: apt-dater
Version: 1.0.2-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Hi,

There are two issues with the handling of SOURCE_DATE_EPOCH that
cause this package to remain reproducible:

 * Missing LC_ALL=C (or LC_TIME, etc.) in src/Makefile.am
   otherwise the formatted string is translated to the current
   locale.

 * Missing "shell" in the nested call to dpkg-parsechangelog, which
   actually results in SOURCE_DATE_EPOCH being set to midnight of the
   current day, then mangled by the *inverse* of the current timezone
   offset relative to UTC. It's quite a fun chain if you follow it..

A patch for these two issues is attached.

You might also want to fix:

 * Assignment of SOURCE_DATE_EPOCH in debian/rules overrides
   environment, ie. prefer the the set-if-absent operaor.

     - SOURCE_DATE_EPOCH := $(shell [..]
     + SOURCE_DATE_EPOCH ?= $(shell [..]

   .. otherwise, an external value of SOURCE_DATE_EPOCH is not
   honoured.

 * As it happens It's actually not required that you set this line.
   Debian's default toolchain will export it soon anyway, and our
   experimental toolchain does it already.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[apt-dater.diff.txt (text/plain, attachment)]

Reply sent to Patrick Matthäi <pmatthaei@debian.org>:
You have taken responsibility. (Mon, 13 Jun 2016 16:54:04 GMT) (full text, mbox, link).

Notification sent to Chris Lamb <lamby@debian.org>:
Bug acknowledged by developer. (Mon, 13 Jun 2016 16:54:04 GMT) (full text, mbox, link).

Message #10 received at 797211-close@bugs.debian.org (full text, mbox, reply):

From: Patrick Matthäi <pmatthaei@debian.org>
To: 797211-close@bugs.debian.org
Subject: Bug#797211: fixed in apt-dater 1.0.3-1
Date: Mon, 13 Jun 2016 16:51:26 +0000
Source: apt-dater
Source-Version: 1.0.3-1

We believe that the bug you reported is fixed in the latest version of
apt-dater, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797211@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Matthäi <pmatthaei@debian.org> (supplier of updated apt-dater package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 13 Jun 2016 16:29:50 +0200
Source: apt-dater
Binary: apt-dater apt-dater-dbg
Architecture: source amd64
Version: 1.0.3-1
Distribution: unstable
Urgency: medium
Maintainer: Patrick Matthäi <pmatthaei@debian.org>
Changed-By: Patrick Matthäi <pmatthaei@debian.org>
Description:
 apt-dater  - terminal-based remote package update manager
 apt-dater-dbg - terminal-based remote package update manager (dbg symbols)
Closes: 797211 813103 826403 827107
Changes:
 apt-dater (1.0.3-1) unstable; urgency=medium
 .
   * New upstream release.
     - Silence obsolete tmux 2.2 option "status-utf8".
       Closes: #827107
     - Typo in german translation fixed.
       Closes: #813103
     - Fix generation of broken default xml files.
       Closes: #826403
     - Correct usage of SOURCE_DATE_EPOCH in Makefile and debian/rules.
       Closes: #797211
   * Bump Standards-Version to 3.9.8 (no changes required).
   * Enable full hardening.
   * Fix capitalization error in package description of openSUSE.
Checksums-Sha1:
 26dcf6b8b70998cc523b6eb16cbd1d0e3766962d 1870 apt-dater_1.0.3-1.dsc
 9c985c6e0914e9a5d41c655ddf7f043796d6b012 345158 apt-dater_1.0.3.orig.tar.gz
 5f698212076917692ed6be3ab445ab13f2032a84 7484 apt-dater_1.0.3-1.debian.tar.xz
 52fe24a196e188f87e3825e60c0f028e073089f2 136938 apt-dater-dbg_1.0.3-1_amd64.deb
 d5cfb813f52ff8486f83db0965e25fcd264e340e 80426 apt-dater_1.0.3-1_amd64.deb
Checksums-Sha256:
 e2d5c8041ea9df40eca3b41506c074bb1ee206a6b6a14a9ca47b61fdf75306a3 1870 apt-dater_1.0.3-1.dsc
 891b15e4dd37c7b35540811bbe444e5f2a8d79b1c04644730b99069eabf1e10f 345158 apt-dater_1.0.3.orig.tar.gz
 5bfbc60b46daaab1f71c21da12efadc8cf3cd98a040718a15083d162017050e8 7484 apt-dater_1.0.3-1.debian.tar.xz
 e655d1f3d0c67d422348d67dc2d97e7e2c494e5e4706f95fc2868c1d00c4511b 136938 apt-dater-dbg_1.0.3-1_amd64.deb
 03eaeb0229076caf65ea5fd161513289fa453db92c7924134b520b1726880c6c 80426 apt-dater_1.0.3-1_amd64.deb
Files:
 5fcd12b4936350f9dd6ba831754361fc 1870 admin optional apt-dater_1.0.3-1.dsc
 50b9bcd17255c672ef9cdd833bacac5c 345158 admin optional apt-dater_1.0.3.orig.tar.gz
 16d79fdb458d7b42f9a4405a3c3129ba 7484 admin optional apt-dater_1.0.3-1.debian.tar.xz
 5edd1040196351574eb36afe5690abc2 136938 debug extra apt-dater-dbg_1.0.3-1_amd64.deb
 004b44375f01fb32d56c08e5b83e0b5e 80426 admin optional apt-dater_1.0.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXXsduAAoJEBLZsEqQy9jkgjAP/2lZ4EbxKm5LuKc5q5Y24FpL
zZVMdghGlTaeB1Lh0V2SAjxg2dp2kdHo2EC3O4AYlu3nmRaL7ZgMpwKhi4Cp1Smz
4xHPukDZTmNw/+dsFXJqr9eVxEKrpJW9hXjc3TSHQLl2RylqaGdIGLKicqK8UdNm
Sie9pw1YFfFdaoQoBHbrcmL5k9CzqJ95n+GF467oEAQyFWJWdjrWyr2/lkGCD1dA
pRvcrrgpoNM7t8k2sH/PfRwVZUpt9meoCuT/DyGt3SBfSj3kTFa6LdEHLIxRz4Yv
U9ZGbDvIp/en9dT94LaafPACh4IqS03O16OnrkZ86x0/2FbufzrFr7ogniIoODyV
Ijt3YVP5Lh8AioG8pKGL588HHQYmRCylXr8f8QvOBSUO6qe9NU14cHs2PIQxLQEU
Q4kd7Fz5xBKsjTQwnm4NanHDX94G4R0iPruUt6ZsRA1/hPae0VnPITPFLfMj6Mal
AhL72UgnukNzYHUbvyWZoY0eCI/A3r+tDedxKRhcXDMUnRvM1j2fxw+n/CbuzFDM
I5Ms6ZTp0fLmjY8PeUPEaP/naW/solYikhLLPViu6tpMgNvU+a1Lyxk7j60FgvIg
uKhuxq6LSAgoWEguWS8ljkfuHiQ8p+cIFdqmZMy0jhxg8/v4C3tZhxhI7u/OYjG4
LJEmXnkKJ9Q1CiSMpLUt
=zTHA
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Jul 2016 07:27:17 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 13:55:30 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.