Debian Bug report logs - #870890
apg: please make the build reproducible (timestamps)

version graph

Package: src:apg; Maintainer for src:apg is Marc Haber <mh+debian-packages@zugschlus.de>;

Reported by: jathan <jathanblackred@gmail.com>

Date: Sun, 6 Aug 2017 02:21:02 UTC

Severity: wishlist

Tags: patch

Found in version apg/2.2.3.dfsg.1-4

Fixed in version apg/2.2.3.dfsg.1-5

Done: Marc Haber <mh+debian-packages@zugschlus.de>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, reproducible-bugs@lists.alioth.debian.org, Marc Haber <mh+debian-packages@zugschlus.de>:
Bug#870890; Package src:apg. (Sun, 06 Aug 2017 02:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to jathan <jathanblackred@gmail.com>:
New Bug report received and forwarded. Copy sent to reproducible-bugs@lists.alioth.debian.org, Marc Haber <mh+debian-packages@zugschlus.de>. (Sun, 06 Aug 2017 02:21:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: jathan <jathanblackred@gmail.com>
To: submit@bugs.debian.org
Subject: apg; please make the build reproducible (timestamps)
Date: Sat, 5 Aug 2017 21:19:19 -0500
[Message part 1 (text/plain, inline)]
Source: apg
Version: 2.2.3.dfsg.1-4
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Hi!

While working on the “reproducible builds” effort [1], we have noticed
that apg could not be built reproducibly.

The attached patch clamps the timestamps to the changelog timestamp when
creating the source archive. Once applied, apg can be built reproducibly
in our current experimental framework.

 [1]: https://wiki.debian.org/ReproducibleBuilds

-- 
Por favor evita enviarme adjuntos en formato de word o powerpoint, si
quieres saber porque lee esto:
http://www.gnu.org/philosophy/no-word-attachments.es.html
¡Cámbiate a GNU/Linux! http://getgnulinux.org/es

[apg_2.2.3.dfsg.1-4_2.2.3.dfsg.1-4.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marc Haber <mh+debian-packages@zugschlus.de>:
Bug#870890; Package src:apg. (Sat, 12 Aug 2017 20:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@debian.org>:
Extra info received and forwarded to list. Copy sent to Marc Haber <mh+debian-packages@zugschlus.de>. (Sat, 12 Aug 2017 20:51:03 GMT) (full text, mbox, link).

Message #10 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@debian.org>
To: jathan <jathanblackred@gmail.com>, 870890@bugs.debian.org, submit@bugs.debian.org
Subject: Re: Bug#870890: apg; please make the build reproducible (timestamps)
Date: Sat, 12 Aug 2017 16:42:43 -0400
[Message part 1 (text/plain, inline)]
On 2017-08-05, jathan wrote:
> diff -Nru apg-2.2.3.dfsg.1/debian/changelog apg-2.2.3.dfsg.1/debian/changelog
> --- apg-2.2.3.dfsg.1/debian/changelog	2016-08-05 05:04:46.000000000 -0500
> +++ apg-2.2.3.dfsg.1/debian/changelog	2017-08-05 20:52:19.000000000 -0500
> @@ -1,3 +1,10 @@
> +apg (2.2.3.dfsg.1-4.1) UNRELEASED; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Fix timestamps_in_tarball reproducible build issue. 
> +
> + -- Jonathan Bustillos <jathanblackred@openmailbox.org>  Sat, 05 Aug 2017 20:52:19 -0500
> +
>  apg (2.2.3.dfsg.1-4) unstable; urgency=low
>  
>    * add patch from Steve Langasek to use correct compiler (Closes: #734870)
> diff -Nru apg-2.2.3.dfsg.1/debian/rules apg-2.2.3.dfsg.1/debian/rules
> --- apg-2.2.3.dfsg.1/debian/rules	2016-08-05 05:04:46.000000000 -0500
> +++ apg-2.2.3.dfsg.1/debian/rules	2017-08-05 20:49:26.000000000 -0500
> @@ -1,5 +1,6 @@
>  #!/usr/bin/make -f
>  
> +SOURCE_DATE := $(shell dpkg-parsechangelog --show-field=Date)
>  DEB_HOST_GNU_TYPE	?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
>  DEB_BUILD_GNU_TYPE	?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
>  
> @@ -19,6 +20,7 @@
>  	make install INSTALL_PREFIX=$(CURDIR)/debian/apg/usr
>  	mv $(CURDIR)/debian/apg/usr/bin/apg $(CURDIR)/debian/apg/usr/lib/apg/apg
>  	tar --create --file - --directory $(CURDIR)/php/apgonline/ . \
> +	  --clamp-mtime --mtime="$(SOURCE_DATE)" \
>  	  --mode=u=rwX,go=rX --sort=name | gzip --no-name > php.tar.gz
>  	install -D --mode=0644 php.tar.gz $(CURDIR)/debian/apg/usr/share/doc/apg/php.tar.gz
>  	rm php.tar.gz

Is it feasible to rewrite the patch using SOURCE_DATE_EPOCH, rather than
a custom variable name?

  https://reproducible-builds.org/specs/source-date-epoch/

live well,
  vagrant

[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Marc Haber <mh+debian-packages@zugschlus.de>:
Bug#870890; Package src:apg. (Sat, 12 Aug 2017 20:51:07 GMT) (full text, mbox, link).

Acknowledgement sent to Vagrant Cascadian <vagrant@debian.org>:
Extra info received and forwarded to list. Copy sent to Marc Haber <mh+debian-packages@zugschlus.de>. (Sat, 12 Aug 2017 20:51:07 GMT) (full text, mbox, link).

Changed Bug title to 'apg: please make the build reproducible (timestamps)' from 'apg; please make the build reproducible (timestamps)'. Request was from Chris Lamb <lamby@debian.org> to control@bugs.debian.org. (Tue, 05 Sep 2017 14:03:06 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Marc Haber <mh+debian-packages@zugschlus.de>:
Bug#870890; Package src:apg. (Mon, 02 Oct 2017 02:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to jathan <jathanblackred@openmailbox.org>:
Extra info received and forwarded to list. Copy sent to Marc Haber <mh+debian-packages@zugschlus.de>. (Mon, 02 Oct 2017 02:27:02 GMT) (full text, mbox, link).

Message #22 received at 870890@bugs.debian.org (full text, mbox, reply):

From: jathan <jathanblackred@openmailbox.org>
To: 870890@bugs.debian.org
Subject: Re: Bug#870890: apg; please make the build reproducible (timestamps)
Date: Sun, 1 Oct 2017 21:18:29 -0500
[Message part 1 (text/plain, inline)]
Hi. I have rewrited the apg patch using SOURCE_DATE_EPOCH variable. The
attached patch clamps the timestamps to the changelog timestamp when
creating the source archive using using SOURCE_DATE_EPOCH variable. Once
applied, apg can be built reproducibly in our current experimental
framework. Cheers.

Jathan

-- 
Por favor evita enviarme adjuntos en formato de word o powerpoint, si
quieres saber porque lee esto:
http://www.gnu.org/philosophy/no-word-attachments.es.html
¡Cámbiate a GNU/Linux! http://getgnulinux.org/es

[apg_2.2.3.dfsg.1-4_2.2.3.dfsg.1-4.1.debdiff (text/plain, attachment)]
[signature.asc (application/pgp-signature, attachment)]

Reply sent to Marc Haber <mh+debian-packages@zugschlus.de>:
You have taken responsibility. (Mon, 02 Oct 2017 13:51:05 GMT) (full text, mbox, link).

Notification sent to jathan <jathanblackred@gmail.com>:
Bug acknowledged by developer. (Mon, 02 Oct 2017 13:51:05 GMT) (full text, mbox, link).

Message #27 received at 870890-close@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 870890-close@bugs.debian.org
Subject: Bug#870890: fixed in apg 2.2.3.dfsg.1-5
Date: Mon, 02 Oct 2017 13:49:03 +0000
Source: apg
Source-Version: 2.2.3.dfsg.1-5

We believe that the bug you reported is fixed in the latest version of
apg, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 870890@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Haber <mh+debian-packages@zugschlus.de> (supplier of updated apg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 01 Oct 2017 22:19:40 +0000
Source: apg
Binary: apg
Architecture: source amd64
Version: 2.2.3.dfsg.1-5
Distribution: unstable
Urgency: low
Maintainer: Marc Haber <mh+debian-packages@zugschlus.de>
Changed-By: Marc Haber <mh+debian-packages@zugschlus.de>
Description:
 apg        - Automated Password Generator - Standalone version
Closes: 849109 870890
Changes:
 apg (2.2.3.dfsg.1-5) unstable; urgency=low
 .
   * add warning to package description about FIPS 181 deprecation.
     Thanks to kwadronaut (Closes: #849109)
   * patch debian/rules to help with reproduibility.
     Thanks to Jathan and Vadgrant Cascadian (Closes: #870890)
   * Standards-Version: 4.1.0 (no changes necessary)
Checksums-Sha1:
 f141a33cf34616cdb8a0d6ee675c31b7b9cacadc 1839 apg_2.2.3.dfsg.1-5.dsc
 020963e4f917acc519f8cf99f4c4ba403f0ba6c2 9480 apg_2.2.3.dfsg.1-5.debian.tar.xz
 dbe076357b016c3111e217c57eb430f406982887 43854 apg-dbgsym_2.2.3.dfsg.1-5_amd64.deb
 0ebd257b5c95be6b82f58b28625dd400db76b7d6 5859 apg_2.2.3.dfsg.1-5_amd64.buildinfo
 4032bf87e5d17621b294ff9ed7cae431ceecd5b3 52510 apg_2.2.3.dfsg.1-5_amd64.deb
Checksums-Sha256:
 7b3c73e380b1c4106088ff7f876e1ad4e54ee1d5866a33ef2ca150c223f014e6 1839 apg_2.2.3.dfsg.1-5.dsc
 8305fdb424d934f4d217b7910e0b971cff205b28857b9dc9df95e38bd1aaa9a0 9480 apg_2.2.3.dfsg.1-5.debian.tar.xz
 2104d09d7202964c9c7b8a9974066c77fcf4de160ee139126011926fa0fc933c 43854 apg-dbgsym_2.2.3.dfsg.1-5_amd64.deb
 67c4a1ac9065c432976f095977b84e3717da21680f0d6c36750dc161894e06ea 5859 apg_2.2.3.dfsg.1-5_amd64.buildinfo
 e41c011c712f7bf2e433e9ca24c016a4ce0b837722a6e96bcedd79faa1053599 52510 apg_2.2.3.dfsg.1-5_amd64.deb
Files:
 66895e1a6dd397b76319c24bda3cd2fb 1839 admin optional apg_2.2.3.dfsg.1-5.dsc
 2b0ea2b00dbe01c18e04d896f8c96ef7 9480 admin optional apg_2.2.3.dfsg.1-5.debian.tar.xz
 61184f538039d9ad5041e5f98136727e 43854 debug optional apg-dbgsym_2.2.3.dfsg.1-5_amd64.deb
 e7c4ff8c13a9a3bc940a47217e55e27e 5859 admin optional apg_2.2.3.dfsg.1-5_amd64.buildinfo
 3c434077a8fb7e9d246f289d1eb2aa19 52510 admin optional apg_2.2.3.dfsg.1-5_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE6QL5UJ/L0pcuNEbjj3cgEwEyBEIFAlnSQJ0ACgkQj3cgEwEy
BELf+w/7By9LtF4NzTEUFoJslWxt0OFwwbaQT+9dlUbwWkhoC5dCnVDpksZWDj9P
/ef2eO88Rw3wYApic3Dl7koCZY8sBWpnYWNpY4xIsFeg09pF2FE96vQ2UVsfXkYC
smaOWUNl6v7iaVADBxP+t12v5X7bqD4tf0klbO1QwpVGx3ynrRhM6Pqg6qCuZvSX
OYjOkgHRekcK0wuK2ksA+rDiH0LDu7mI6ENqLZbkfSQI1eLCcWXLm7uMi1Ju+ZNC
aJlldQmHk2Op6FeESgt4pd2oAGoFFJMx3jiwm4o1WaY3ir5NxmRZEtDfnpAkManB
poEipT4hVe4+IdnD3x4v6Wgvz5fakAjHlLrQ+wJrn8RvcmlBGsZNIInUyrdLS8si
eoM2gxrlDbZbR4jkLNWIEp9ws9o/JWD1CSUG5TTMC1fRfPa7XpMDEAogjfjf4rUK
JqxroJMBhaQEKM5OEujLMWCpcy+xykHCODWOsPqwF0pF1b1x8u/GfO7m9Qt30Fvc
GRL2ViHwv3H8nUlov582q0sSJI4dv5wO1siWRgGg30gcKqCZMb8evWi11ZA/UjrU
Yk227nGvUbZ/xDtvSeqsr4r96QzRLawWbtIDGQda4ki/B+5Oq0qeZb2Z3AvVN4xQ
s03qmOx9FhtwAK2kQthSW9Ksuk6AmSQWI6S0O9mBQ3X2Mw8T79s=
=ls+f
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 09 Nov 2017 07:27:47 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed May 17 13:49:29 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.