Debian Bug report logs - #990839
opentest4j: reproducible builds: timestamp embedded in shipped .jar file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>

To: submit@bugs.debian.org

Subject: opentest4j: reproducible builds: timestamp embedded in shipped .jar file

Date: Thu, 08 Jul 2021 16:49:01 -0700

[Message part 1 (text/plain, inline)]

Package: opentest4j
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps timezone
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The shipped opentest4j-1.2.0.jar embeds the time, date and timezone in
the build:

  https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/opentest4j.html

  ./usr/share/java/opentest4j-1.2.0.jar

  Build-Date:·2022-07-12\xd
  vs.
  Build-Date:·2021-06-09\xd
 	
  Build-Time:·01:50:58.592-1200\xd
  vs.
  Build-Time:·21:32:48.944+1400\xd


The attached patch modifies build.gradle to set the timezone to UTC when
the SOURCE_DATE_EPOCH environment variable is defined, and use
SOURCE_DATE_EPOCH to set the timestamp.


With this patch applied, opentest4j should become reproducible in the
tests.reproducible-builds.org infrastructure.


Thanks for maintaining opentest4j!


live well,
  vagrant

[0001-debian-patches-Support-reproducible-timestamps-in-th.patch (text/x-diff, inline)]

From 851b4d88d014df82203851919906b0925b21bc1f Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Thu, 8 Jul 2021 23:38:36 +0000
Subject: [PATCH] debian/patches: Support reproducible timestamps in the .jar
 file.

Patch build.gradle to use SOURCE_DATE_EPOCH to avoid embedding
timestamp in .jar file.

https://reproducible-builds.org/docs/source-date-epoch/
---
 .../04-reproducible-builds-timestamp.patch    | 25 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 26 insertions(+)
 create mode 100644 debian/patches/04-reproducible-builds-timestamp.patch

diff --git a/debian/patches/04-reproducible-builds-timestamp.patch b/debian/patches/04-reproducible-builds-timestamp.patch
new file mode 100644
index 0000000..e92cde4
--- /dev/null
+++ b/debian/patches/04-reproducible-builds-timestamp.patch
@@ -0,0 +1,25 @@
+Add support for SOURCE_DATE_EPOCH to avoid embedding timestamp in .jar
+file.
+
+https://reproducible-builds.org/docs/source-date-epoch/
+
+Index: opentest4j/build.gradle
+===================================================================
+--- opentest4j.orig/build.gradle
++++ opentest4j/build.gradle
+@@ -9,7 +9,14 @@ plugins {
+ 	id 'signing'
+ }
+ 
+-Date buildTimeAndDate = new Date()
++// https://reproducible-builds.org/docs/source-date-epoch/
++String source_date_epoch = System.getenv("SOURCE_DATE_EPOCH");
++if (source_date_epoch != null) {
++   TimeZone.setDefault(TimeZone.getTimeZone("UTC"))
++}
++Date buildTimeAndDate = source_date_epoch == null ?
++    new Date() :
++    new Date(1000 * Long.parseLong(source_date_epoch))
+ ext {
+ 	buildDate = new SimpleDateFormat('yyyy-MM-dd').format(buildTimeAndDate)
+ 	buildTime = new SimpleDateFormat('HH:mm:ss.SSSZ').format(buildTimeAndDate)
diff --git a/debian/patches/series b/debian/patches/series
index 856631a..cb3366e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 01-ignore-versioning-plugin.patch
 02-ignore-github-pages-plugin.patch
 03-ignore-spotless-plugin.patch
+04-reproducible-builds-timestamp.patch
-- 
2.32.0

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 990839-submitter@bugs.debian.org (full text, mbox, reply):

From: Tony Mancill <noreply@salsa.debian.org>

To: 990839-submitter@bugs.debian.org

Subject: Bug#990839 marked as pending in opentest4j

Date: Wed, 14 Jul 2021 04:22:58 +0000

Control: tag -1 pending

Hello,

Bug #990839 in opentest4j reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/opentest4j/-/commit/786267d174ca270fff703136933b215acbdda1d8

------------------------------------------------------------------------
Apply patch for reproducible builds (Closes: #990839)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/990839

Message #15 received at 990839-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 990839-close@bugs.debian.org

Subject: Bug#990839: fixed in opentest4j 1.2.0-3

Date: Wed, 14 Jul 2021 04:34:40 +0000

Source: opentest4j
Source-Version: 1.2.0-3
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
opentest4j, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990839@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated opentest4j package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Jul 2021 21:06:46 -0700
Source: opentest4j
Architecture: source
Version: 1.2.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 990839
Changes:
 opentest4j (1.2.0-3) unstable; urgency=medium
 .
   * Team upload.
   * Apply patch for reproducible builds (Closes: #990839)
   * Use debhelper-compat 13
   * Bump Standards-Version to 4.5.1
   * Set Rules-Requires-Root: no in debian/control
   * Freshen debian/copyright
   * Add build-dep on junit4
   * Add debian/maven.rules to resolve junit4 dependency
   * Mark libopentest4j-java as Multi-Arch: foreign
Checksums-Sha1:
 132927f28e9efb3d2b4ea0db3aa3b0da1a157896 2042 opentest4j_1.2.0-3.dsc
 cc89d76ff609536b4c933a4f28da8302a8f2072b 3352 opentest4j_1.2.0-3.debian.tar.xz
 8cc0daabe44c013a209ddda544de69c8695ca9af 12086 opentest4j_1.2.0-3_amd64.buildinfo
Checksums-Sha256:
 19cfc4d8fc234e712d5a76b69983426da37da50378088516e00b2396cce53bda 2042 opentest4j_1.2.0-3.dsc
 56ff77d6e52c303b7997806b49ad5895b8ce551b2a534b42c902b8e485c5656d 3352 opentest4j_1.2.0-3.debian.tar.xz
 a4370ee0344be6d621b3d571385333077e42ef9daeb74a3b459f1235288646ba 12086 opentest4j_1.2.0-3_amd64.buildinfo
Files:
 88b1d498053a4c2ec3c64196492a9c14 2042 java optional opentest4j_1.2.0-3.dsc
 0c9c7a4c9618fb98762813c4fbf12f39 3352 java optional opentest4j_1.2.0-3.debian.tar.xz
 480ba7b003b769f6f8f66832871eec03 12086 java optional opentest4j_1.2.0-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmDuZogUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpZZXRAAxEX2aFWFxxOLagUBIp3CJFRbmoS7
sVLytzMZFf6c64VaidaWHW8nMupx7ULcctmHtPsJjaX/Ce8cIR/RUiHpXyrU0/dX
AGNm7cPEfu4dYjiRENCDEem/YAddplU7K9FTUBONAoni5d3u2Cb13p2+6/c8tWFN
g7+anXqItTOlw8og+by9hu0tGQZ8mPLmZqqcFirFXHGqTifhzJ8j+3F+Pe+/qsKq
uMPvjDbswEFj9vlvjk6leE02Jl/+qPks6R1O0pRedUeKd6FQI9+eF/o1NGJW8UCX
qxAqxNxexyAt65w9X11UBHETOO13AOItV/Dbcu9YFzSJ0dI747Bmuv4YnkTV7fxp
4r8B6+ENzWLdKBWQL7rEcw6w3BHiUV8QiWq9eJrTbQ5yTsjSpbuTsApif/yFotg9
iximOVodbOuCW+w7Dq6oqIICy1FX1S1thwGs7VtNUsmDdr7UcQR8NmAIoFVROUQw
/CEYEvmg21Y1uXk2M3IJHOyMGmzcHB3ZEcyBF6Yh0kx4aSr0/NyGHQ+mT2+rOnUs
sYfYcta8ZTxH99Fqc7SnHCfbtoXioq0VOc0VnQqE7KbfnFwByziYuNHhNT4anlFt
s36Baqf/gtxOLm6FN9+Za3n/TVdxxyukXore835K3h0m0Nnx5OkV9P33KJ+jQH+d
WUr+ezIFcseUQqI=
=F1Al
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.