Debian Bug report logs - #849926
nxt-firmware: please make the build reproducible (timestamps)

version graph

Package: src:nxt-firmware; Maintainer for src:nxt-firmware is Debian LEGO Team <debian-lego-team@lists.alioth.debian.org>;

Reported by: Dhole <dhole@openmailbox.org>

Date: Mon, 2 Jan 2017 10:54:01 UTC

Severity: wishlist

Tags: patch

Found in version nxt-firmware/1.29-20120908+dfsg-3

Fixed in version nxt-firmware/1.29-20120908+dfsg-6

Done: Dominik George <nik@naturalnet.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Debian LEGO Team <debian-lego-team@lists.alioth.debian.org>:
Bug#849926; Package src:nxt-firmware. (Mon, 02 Jan 2017 10:54:03 GMT) (full text, mbox, link).

Acknowledgement sent to Dhole <dhole@openmailbox.org>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Debian LEGO Team <debian-lego-team@lists.alioth.debian.org>. (Mon, 02 Jan 2017 10:54:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dhole <dhole@openmailbox.org>
To: submit@bugs.debian.org
Subject: nxt-firmware: please make the build reproducible (timestamps)
Date: Mon, 2 Jan 2017 02:43:10 -0800
[Message part 1 (text/plain, inline)]
Source: nxt-firmware 
Version: 1.29-20120908+dfsg-3 
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Hi,

While working on the "reproducible builds" effort [1], we have noticed
that nxt-firmware could not be built reproducibly.

Part of the source code used to build the firmware image embeds the
build timestamp through the __DATE__ and __TIME__ gcc macros.
Unfortunately arm-none-eabi-gcc doesn't honour SOURCE_DATE_EPOCH yet, so
it generates unreproducible results.

The attached patch fixes this by replacing the usage of __DATE__ and
__TIME__ by fixed date and time strings.  Once applied, nxt-firmware can
be built reproducibly in our current experimental framework.

 [1]: https://wiki.debian.org/ReproducibleBuilds

Regards,
-- 
Dhole

[nxt-firmware.diff.txt (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian LEGO Team <debian-lego-team@lists.alioth.debian.org>:
Bug#849926; Package src:nxt-firmware. (Fri, 06 Jan 2017 13:51:02 GMT) (full text, mbox, link).

Acknowledgement sent to Dominik George <nik@naturalnet.de>:
Extra info received and forwarded to list. Copy sent to Debian LEGO Team <debian-lego-team@lists.alioth.debian.org>. (Fri, 06 Jan 2017 13:51:02 GMT) (full text, mbox, link).

Message #10 received at 849926@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>
To: Dhole <dhole@openmailbox.org>, 849926@bugs.debian.org
Subject: Re: [Debian-lego-team] Bug#849926: nxt-firmware: please make the build reproducible (timestamps)
Date: Fri, 6 Jan 2017 14:49:44 +0100
[Message part 1 (text/plain, inline)]
Hi,

> While working on the "reproducible builds" effort [1], we have noticed
> that nxt-firmware could not be built reproducibly.
> 
> Part of the source code used to build the firmware image embeds the
> build timestamp through the __DATE__ and __TIME__ gcc macros.
> Unfortunately arm-none-eabi-gcc doesn't honour SOURCE_DATE_EPOCH yet, so
> it generates unreproducible results.
> 
> The attached patch fixes this by replacing the usage of __DATE__ and
> __TIME__ by fixed date and time strings.  Once applied, nxt-firmware can
> be built reproducibly in our current experimental framework.

Thanks for finding that!

I chose to go a slightly different way by injecting the timestamp from
the debian/changelog into the build so it does not lose all meaning.

I built the package twice and verified the resulting binary has the same
sha1sum.

-nik

-- 
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Mobile: +49-1520-1981389 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V.
Fellowship of the FSFE · Piratenpartei Deutschland
Opencaching Deutschland e.V. · Debian Maintainer

LPIC-3 Linux Enterprise Professional (Security)

[signature.asc (application/pgp-signature, inline)]

Reply sent to Dominik George <nik@naturalnet.de>:
You have taken responsibility. (Fri, 06 Jan 2017 16:21:21 GMT) (full text, mbox, link).

Notification sent to Dhole <dhole@openmailbox.org>:
Bug acknowledged by developer. (Fri, 06 Jan 2017 16:21:21 GMT) (full text, mbox, link).

Message #15 received at 849926-close@bugs.debian.org (full text, mbox, reply):

From: Dominik George <nik@naturalnet.de>
To: 849926-close@bugs.debian.org
Subject: Bug#849926: fixed in nxt-firmware 1.29-20120908+dfsg-6
Date: Fri, 06 Jan 2017 16:18:41 +0000
Source: nxt-firmware
Source-Version: 1.29-20120908+dfsg-6

We believe that the bug you reported is fixed in the latest version of
nxt-firmware, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 849926@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dominik George <nik@naturalnet.de> (supplier of updated nxt-firmware package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 06 Jan 2017 16:44:52 +0100
Source: nxt-firmware
Binary: nxt-firmware
Architecture: source all
Version: 1.29-20120908+dfsg-6
Distribution: unstable
Urgency: medium
Maintainer: Debian LEGO Team <debian-lego-team@lists.alioth.debian.org>
Changed-By: Dominik George <nik@naturalnet.de>
Description:
 nxt-firmware - Improved firmware for LEGO Mindstorms NXT bricks
Closes: 849926
Changes:
 nxt-firmware (1.29-20120908+dfsg-6) unstable; urgency=medium
 .
   * Inject timestamp from changelog into build to make it reproducible.
     Thanks to Eduard Sanou for pointing out. (Closes: #849926)
   * debian/watch: added a fake site to explain about the current
     status of the original upstream homepage.
Checksums-Sha1:
 3bdde5da9df1361b20b2a516e4228af934606d51 2211 nxt-firmware_1.29-20120908+dfsg-6.dsc
 301d777308befe7dea4dba1aa8c8b89564110eaa 10700 nxt-firmware_1.29-20120908+dfsg-6.debian.tar.xz
 30090133e4214e7c0b3df95ebe5117d5fcfdfb9a 100614 nxt-firmware_1.29-20120908+dfsg-6_all.deb
Checksums-Sha256:
 07a071d174942ba934f46afb73cbf77407f2013b9e6f7a8022948db7db3ab459 2211 nxt-firmware_1.29-20120908+dfsg-6.dsc
 7f0a4a95b924985a1babacb082d919a8ff23d5e93aefe02d27a25e43c8b31e67 10700 nxt-firmware_1.29-20120908+dfsg-6.debian.tar.xz
 e4a375a69f4c5c0cde86a8cfaf1964fca838ae3d0ca89e4fde5f92e11b4502b6 100614 nxt-firmware_1.29-20120908+dfsg-6_all.deb
Files:
 9a6b10d1db894c9e90c2a5c4576d4290 2211 electronics optional nxt-firmware_1.29-20120908+dfsg-6.dsc
 b9a8f2c5f5ddb98f62b07f4487c0439c 10700 electronics optional nxt-firmware_1.29-20120908+dfsg-6.debian.tar.xz
 8a419941028a4fd12f21e2989677df39 100614 electronics optional nxt-firmware_1.29-20120908+dfsg-6_all.deb

-----BEGIN PGP SIGNATURE-----

iQJlBAEBCABPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAlhvvcMxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTyliOLEACP6blZA918xpCjailq1NLarwNU07+cKfL7KkE7+6SkiVOHg7RP2DLd
Nt9eiz0s0uURmLfQpPwY32fb4SmVt+dJjt1PnsUQAfEv+M5nkW+DQJoNJ0GZn/10
nU/+ZLf8kofHE+KWpVdvcTAbW96bbhAXV1wlaZDG19sNvdiHsTVvnd/lgtPlQwnx
fVAJum11OX1iEr2QhriY6XAvEjYMvhfRCyv7jRUsfDiCHGMKK7GULQ2jhch6P9L/
t7daSKWBuu3tbAnmjPY4dkLxPd+79JmdNo5OZeCX8iLTFddvZZwS8MqfTnoR6g2T
tOH+j14i7bC2HnqhPx91gQW5O8ZQI5Thp0wLL6TtABQAQJyK7EtguPadc8/eNRmP
3tn06nZSZalf2la+6T+86m6DgEqAvdMx6jetW+78yIx366TZbWtpSF3D4WtMr4DV
AQ0YH94xzaZOqwGpWOcpwP5BRfM6jXm4qacdiCB5bCF11JhR+bXewWIaqKHhyoKb
EczPj6L8RkMU82MggIx16AbTkDzf8+roXhcljFVXKaHcFt9QOa7HhfwjmFH2ilcT
OdVdLmBshphk7er7nJQTCX47mS7Xr4DFIg+tK8fdvOoIbLPq1v+jr6IBiGr4zvGp
QQfl4z1ekRpkIMqe+3796L+L63fzm6GRBcrew5TiX8nIKewKMyBu6A==
=oCPd
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 27 Feb 2017 07:26:22 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 13:43:37 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.