Debian Bug report logs - #983588
xmlgraphics-commons: reproducible builds: Set timezone to UTC when SOURCE_DATE_EPOCH is set

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>

To: submit@bugs.debian.org

Subject: xmlgraphics-commons: reproducible builds: Set timezone to UTC when SOURCE_DATE_EPOCH is set

Date: Fri, 26 Feb 2021 11:33:45 -0800

[Message part 1 (text/plain, inline)]

Package: xmlgraphics-commons
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps timezone toolchain
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

Several packages use fop (which uses xmlgraphics-commons) to generate
PDF files in Debian packages, but the resulting PDF files have embedding
timestamps. This was partially fixed in fop:

  https://bugs.debian.org/978499


Unfortunately, in some cases the timezone information is still embedded
due to how xmlgraphics-commons embeds the date and timezone:

For example, in xorg-docs:

  https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/xorg-docs.html

  /usr/share/doc/xorg-docs/License.pdf.gz

  dc:date>2020-12-20T04:18:36-12:00
  vs.
  dc:date>2020-12-21T06:18:36+14:00


The attached patch fixes this by adding setting the timezone to UTC when
the SOURCE_DATE_EPOCH environment variable is defined.  This patch is
just a rough draft; would appreciate improvements to it from someone who
knows their way around java better!


This seems to fix the embedded timestamp/timezone issues in several of
the packages listed in:

  https://tests.reproducible-builds.org/debian/issues/unstable/timestamps_in_pdf_generated_by_apache_fop_issue.html


Thanks for maintaining xmlgraphics-commons!


live well,
  vagrant

[0001-XMPSchemaAdapter.java-Use-UTC-timezone-when-SOURCE_D.patch (text/x-diff, inline)]

From 2146f4a44fbee1e3aef12e56ae3d904e793090cd Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Fri, 26 Feb 2021 19:10:10 +0000
Subject: [PATCH] XMPSchemaAdapter.java: Use UTC timezone when
 SOURCE_DATE_EPOCH is set.

SOURCE_DATE_EPOCH specifies the timestamp, but needs to be rendered in
UTC timezone to ensure reproducible builds.

https://reproducible-builds.org/docs/source-date-epoch/

This is a follow-up to https://bugs.debian.org/978499 in apache fop,
as there is no way for fop itself to pass the timezone information for
some values.
---
 .../java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java
index 9a41eba..19811a8 100644
--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java
+++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java
@@ -157,6 +157,11 @@ public class XMPSchemaAdapter {
      * @return the formatted date
      */
     public static String formatISO8601Date(Date dt) {
+        // https://reproducible-builds.org/docs/source-date-epoch/
+        String source_date_epoch = System.getenv("SOURCE_DATE_EPOCH");
+        if (source_date_epoch != null) {
+            return formatISO8601Date(dt, TimeZone.getTimeZone("Etc/UTC"));
+        }
         return formatISO8601Date(dt, TimeZone.getDefault());
     }
 
-- 
2.20.1

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 983588@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>

To: 983588@bugs.debian.org

Subject: Re: xmlgraphics-commons: reproducible builds: Set timezone to UTC when SOURCE_DATE_EPOCH is set

Date: Fri, 08 Oct 2021 18:16:33 -0700

[Message part 1 (text/plain, inline)]

On 2021-02-26, Vagrant Cascadian wrote:
> Several packages use fop (which uses xmlgraphics-commons) to generate
> PDF files in Debian packages, but the resulting PDF files have embedding
> timestamps. This was partially fixed in fop:
>
>   https://bugs.debian.org/978499
>
>
> Unfortunately, in some cases the timezone information is still embedded
> due to how xmlgraphics-commons embeds the date and timezone:
...
> The attached patch fixes this by adding setting the timezone to UTC when
> the SOURCE_DATE_EPOCH environment variable is defined.  This patch is
> just a rough draft; would appreciate improvements to it from someone who
> knows their way around java better!
>
>
> This seems to fix the embedded timestamp/timezone issues in several of
> the packages listed in:
>
>   https://tests.reproducible-builds.org/debian/issues/unstable/timestamps_in_pdf_generated_by_apache_fop_issue.html

This should fix reproducibility issues in several other packages; is
there anything else I can do to help getting this fix into Debian?


live well,
  vagrant

> From 2146f4a44fbee1e3aef12e56ae3d904e793090cd Mon Sep 17 00:00:00 2001
> From: Vagrant Cascadian <vagrant@reproducible-builds.org>
> Date: Fri, 26 Feb 2021 19:10:10 +0000
> Subject: [PATCH] XMPSchemaAdapter.java: Use UTC timezone when
>  SOURCE_DATE_EPOCH is set.
>
> SOURCE_DATE_EPOCH specifies the timestamp, but needs to be rendered in
> UTC timezone to ensure reproducible builds.
>
> https://reproducible-builds.org/docs/source-date-epoch/
>
> This is a follow-up to https://bugs.debian.org/978499 in apache fop,
> as there is no way for fop itself to pass the timezone information for
> some values.
> ---
>  .../java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java    | 5 +++++
>  1 file changed, 5 insertions(+)
>
> diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java
> index 9a41eba..19811a8 100644
> --- a/src/main/java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java
> +++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPSchemaAdapter.java
> @@ -157,6 +157,11 @@ public class XMPSchemaAdapter {
>       * @return the formatted date
>       */
>      public static String formatISO8601Date(Date dt) {
> +        // https://reproducible-builds.org/docs/source-date-epoch/
> +        String source_date_epoch = System.getenv("SOURCE_DATE_EPOCH");
> +        if (source_date_epoch != null) {
> +            return formatISO8601Date(dt, TimeZone.getTimeZone("Etc/UTC"));
> +        }
>          return formatISO8601Date(dt, TimeZone.getDefault());
>      }
>  
> -- 
> 2.20.1

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 983588@bugs.debian.org (full text, mbox, reply):

From: tony mancill <tmancill@debian.org>

To: Vagrant Cascadian <vagrant@reproducible-builds.org>, 983588@bugs.debian.org

Subject: Re: Bug#983588: xmlgraphics-commons: reproducible builds: Set timezone to UTC when SOURCE_DATE_EPOCH is set

Date: Sun, 10 Oct 2021 11:12:21 -0700

[Message part 1 (text/plain, inline)]

On Fri, Oct 08, 2021 at 06:16:33PM -0700, Vagrant Cascadian wrote:
> On 2021-02-26, Vagrant Cascadian wrote:
> 
> This should fix reproducibility issues in several other packages; is
> there anything else I can do to help getting this fix into Debian?

Err.. no, this is 100% on me.  I will prepare an upload soon.

Thank you for the patch!
tony

[signature.asc (application/pgp-signature, inline)]

Message #18 received at 983588-submitter@bugs.debian.org (full text, mbox, reply):

From: Tony Mancill <noreply@salsa.debian.org>

To: 983588-submitter@bugs.debian.org

Subject: Bug#983588 marked as pending in xmlgraphics-commons

Date: Sun, 10 Oct 2021 21:55:57 +0000

Control: tag -1 pending

Hello,

Bug #983588 in xmlgraphics-commons reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/xmlgraphics-commons/-/commit/505c4c8bddfe2a72e086b3a1becdf2fe3af998d0

------------------------------------------------------------------------
Set timezone to UTC when SOURCE_DATE_EPOCH is set (Closes: #983588)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/983588

Message #25 received at 983588-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 983588-close@bugs.debian.org

Subject: Bug#983588: fixed in xmlgraphics-commons 2.4-3

Date: Sun, 10 Oct 2021 22:25:59 +0000

Source: xmlgraphics-commons
Source-Version: 2.4-3
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
xmlgraphics-commons, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 983588@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated xmlgraphics-commons package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 10 Oct 2021 14:49:19 -0700
Source: xmlgraphics-commons
Architecture: source
Version: 2.4-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 983588
Changes:
 xmlgraphics-commons (2.4-3) unstable; urgency=medium
 .
   * Team upload
   * Update Vcs URLs to point to Salsa
   * Use debhelper-compat 13
   * Remove deprecated get-orig-source target
   * Bump Standards-Version to 4.6.0
   * Set timezone to UTC when SOURCE_DATE_EPOCH is set (Closes: #983588)
     Thank you to Vagrant Cascadian for the patch.
   * Set Rules-Requires-Root: no in debian/control
Checksums-Sha1:
 44b8122cf055ed66bbe3682eb71c852eb3ed2b94 2375 xmlgraphics-commons_2.4-3.dsc
 5150943e80af1d8473321c4637b23169e93f3cba 8964 xmlgraphics-commons_2.4-3.debian.tar.xz
 c3a3527ce88dc62f46b1d41037248460fa0216df 14081 xmlgraphics-commons_2.4-3_amd64.buildinfo
Checksums-Sha256:
 159b365ee9ce303a34a37397dbe8fe618dbd5419db1c34928b8186ae7aa47279 2375 xmlgraphics-commons_2.4-3.dsc
 245df45e4d0c294d753deaae7a5b5b72be7c96a8f83efc72d19ba2e5d63c62cb 8964 xmlgraphics-commons_2.4-3.debian.tar.xz
 20905f9752d6f1ad880fef7216c9fb145ffa7a1e0732197fae41eec1f42ff408 14081 xmlgraphics-commons_2.4-3_amd64.buildinfo
Files:
 14b14c4161460754bcfee5494a7c715d 2375 java optional xmlgraphics-commons_2.4-3.dsc
 19621d0de2e8fa4f1ce796021cf46302 8964 java optional xmlgraphics-commons_2.4-3.debian.tar.xz
 6c8fd29b10067943c2f1c94836cd875f 14081 java optional xmlgraphics-commons_2.4-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmFjYQEUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpajZw/+MH7BrdXyu22P1OeMGhLgiFSwd9ub
eOCw1SUL8KxaGqo+OwidN5b79/j1Bm1F6IRJL1NzREw8/j5VZ+eZs/Gme1YxjL3E
OhlIzq5J2XRyyczj903/osJI07MpOu3c5KgyAE61tmRtOwkhASMstE0LHlBYWaWq
n6yMD/Zz/sghCdkRAImCJgoR1KtQAdhW7Wyt7QQcuQiRg2c7JN8OWHYXuUJOzMWJ
H5ebhWCuKVfTIuMRdztG2FIUWOW9jCY8iMzdaqOgbryY7SqWfKkJl1E5StcbrZ3i
fU3b5LiU3D3WMr9PJGt3Uu4wOcNsUBOcBmXIr90m2hm7BQyTTGPHHMCxgrs3NyE1
SofUldTEy43jPvIxCRxE9W0FEtEFzhRRrGlJkqRXv38hOZv4WxxEO7QwJvDQU7oN
V9JPa7AcX8iTSmMqoFzNCVBA9d/WuvQYY03I8Xc0pS4ZC3iBbs6h6hEi6KTQs2qR
h3HWxY/anDtZWEPVsBGA9KbL79gtOdqEhc4cQ7mQKfeu0v3gniAvRULUqLFbDWJS
n7xPtqPnCfTHDlcPY3i4U/UE4Na670w5WKqU7T0BePSHK5dSep80j7FnqUeoa+Yi
YIgl+i/ytW5xPpS9Sf5HqbUbwzP7h54Z34XhJNDo0QZdSKKHxZoCsxDOOeMSThI7
12mtx253h8yDFmE=
=W7uX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.