Debian Bug report logs - #797296
shiro: please make the build reproducible

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: submit@bugs.debian.org

Subject: shiro: please make the build reproducible

Date: Sat, 29 Aug 2015 12:04:27 +0200

[Message part 1 (text/plain, inline)]

Source: shiro
Version: 1.2.4-1
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: username
X-Debbugs-Cc: reproducible-builds@lists.alioth.debian.org

Hi,

While working on the "reproducible builds" effort [1], we have noticed
that shiro could not be built reproducibly.

The attached patch removes username capturing from the build system by
replacing it with "debian" which is probably more useful from upstream's
PoV, especially as the build date (which *is* reproducible due to [2])
is
not the current date.

Once applied, shiro can be built reproducibly in our reproducible
toolchain.

 [1]: https://wiki.debian.org/ReproducibleBuilds
 [2]:
 http://sources.debian.net/src/maven2-core/2.2.1-22/debian/patches/0006-reproducible-built-timestamp.patch/?hl=1#L1


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

[shiro.diff.txt (text/plain, attachment)]

Message #10 received at 797296-close@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: 797296-close@bugs.debian.org

Subject: Bug#797296: fixed in shiro 1.2.5-1

Date: Sun, 12 Jun 2016 19:19:17 +0000

Source: shiro
Source-Version: 1.2.5-1

We believe that the bug you reported is fixed in the latest version of
shiro, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797296@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated shiro package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 12 Jun 2016 11:57:59 -0700
Source: shiro
Binary: libshiro-java
Architecture: source all
Version: 1.2.5-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Description:
 libshiro-java - Apache Shiro - Java Security Framework
Closes: 797296 826653
Changes:
 shiro (1.2.5-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream release.
     Fixes CVE-2016-4437 (Closes: #826653)
   * Bump Standards-Version to 3.9.8 (no changes).
   * Include reproducible build patch.
     Thank you to Chris Lamb. (Closes: #797296)
Checksums-Sha1:
 73795ee606e4406ce9004ec7209b3480da741d13 2228 shiro_1.2.5-1.dsc
 e46f46adefd5a6c8e1b3bbd5dc9a00957a4510cf 416288 shiro_1.2.5.orig.tar.xz
 e610719085d54282a319ec78ed9949bc6edc43e4 4544 shiro_1.2.5-1.debian.tar.xz
 df36b099ca355be7c5ad2a1d78317e65565372cf 533630 libshiro-java_1.2.5-1_all.deb
Checksums-Sha256:
 bb696800b6bbeb4301865b8c23776488c6b35c1d2eca09640803e003906d5129 2228 shiro_1.2.5-1.dsc
 c4b50f9c1db3f272e8e665f14d641a5cf8a337bae03da5351e66f8e94255b28c 416288 shiro_1.2.5.orig.tar.xz
 f8bd9d3c26db1f3015d9ba51a70c956da03fc40a62fbef75f61865bfd0497e3b 4544 shiro_1.2.5-1.debian.tar.xz
 29162bd8d464c79e3e77e3ecc277591301db9f802e39afa3ed9d80864e1a48c0 533630 libshiro-java_1.2.5-1_all.deb
Files:
 057c73e7f918562edb8ba46494d42115 2228 java optional shiro_1.2.5-1.dsc
 5bcf23c4a79e9d7fddfb98893bd1adc1 416288 java optional shiro_1.2.5.orig.tar.xz
 8bf8a6e15fbe997dac68cc0cef1b0010 4544 java optional shiro_1.2.5-1.debian.tar.xz
 a672a61287834ec4417c74568c8668a0 533630 java optional libshiro-java_1.2.5-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJXXbF2AAoJECHSBYmXSz6WAQ4P/i+juE4kZz8i+2ItCKaQoImh
yrBK1bVlHGuQMAnMczW90jrAQExPXWVcaBAWGZIQjO/gDdIiioaSaHL01GcoiqXB
66bTf01l/wcpT4G8Cs5/XEcbprf2dpwtUnChdV6rhvMM6RkyG9KHAaYn9Qo+PohW
C8gQvk0WHJ5B2H1QSmENMHwPnWk4j+XDEb3WfjEGVYnKOtC0Y+XSu74PityYzk3f
6G0nuhX5W+zeg17kMPFvbbPFxg8PexVUmdSwVQFoo6zDoMg9i/7RUqjwAy+L/56p
6XlbSO5dNzoNTbPg+fNtwRHoEmrov+8OZpRGMoZS5BYgj+VwJnTkDvwGvNek8k8W
TKYTKkrJ6BTreGj2k3PkP8ZPJUhK0pKRcXV7j505V7QZI75Z41fhjYEb9/ONyS/2
caWD4CLLU/dG754zLuKh2cFS4NhNHdf1grIlM/7+DasM8jYu3yqIWX+JpgOdmmh0
K3XFK50CgPO0hoFJtFSp+iNWfuDRwvXz43zXrQHz2/i/4cEpdhVL9WnQJBdJS7Js
oyY52pBtu6jzTzXJCGM33VVqBr4v5idV8VnYlBy9y3Q3kgwwBQ6iLvKLZzco9qAm
N4xKqA3tpdQ6MBvz65i8ZuwChhIMv1bHSaMVKz89kDxobSFlZFUIDEuU7wBPTN7b
R/ivPXzOe2Bl5z6/F4wr
=MGMp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.