Debian Bug report logs - #990840
apiguardian: reproducible builds: timestamp embedded in shipped .jar file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Vagrant Cascadian <vagrant@reproducible-builds.org>

To: submit@bugs.debian.org

Subject: apiguardian: reproducible builds: timestamp embedded in shipped .jar file

Date: Thu, 08 Jul 2021 16:58:46 -0700

[Message part 1 (text/plain, inline)]

Package: apiguardian
Severity: normal
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: timestamps timezone
X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org

The shipped apiguardian-api-1.1.0.jar embeds the time, date and timezone
in the build:

  https://tests.reproducible-builds.org/debian/rb-pkg/bullseye/amd64/diffoscope-results/apiguardian.html

  /usr/share/java/apiguardian-api-1.1.0.jar

  Build-Date:·2022-07-12\xd	
  vs.
  Build-Date:·2021-06-09\xd

  Build-Time:·01:53:17.318-1200\xd
  vs.
  Build-Time:·21:34:59.146+1400\xd


The attached patch modifies build.gradle to set the timezone to UTC when
the SOURCE_DATE_EPOCH environment variable is defined, and use
SOURCE_DATE_EPOCH to set the timestamp.

With this patch applied, apiguardian should become reproducible in the
tests.reproducible-builds.org infrastructure.


Thanks for maintaining apiguardian!


live well,
  vagrant

[0001-debian-patches-Support-reproducible-timestamps-in-th.patch (text/x-diff, inline)]

From 6e50539b3aef7df874d8890c9dcdb19123189cc9 Mon Sep 17 00:00:00 2001
From: Vagrant Cascadian <vagrant@reproducible-builds.org>
Date: Thu, 8 Jul 2021 23:53:10 +0000
Subject: [PATCH] debian/patches: Support reproducible timestamps in the .jar
 file.

Patch build.gradle to use SOURCE_DATE_EPOCH to avoid embedding
timestamp in .jar file.

https://reproducible-builds.org/docs/source-date-epoch/
---
 .../03-reproducible-builds-timestamp.patch    | 25 +++++++++++++++++++
 debian/patches/series                         |  1 +
 2 files changed, 26 insertions(+)
 create mode 100644 debian/patches/03-reproducible-builds-timestamp.patch

diff --git a/debian/patches/03-reproducible-builds-timestamp.patch b/debian/patches/03-reproducible-builds-timestamp.patch
new file mode 100644
index 0000000..4999dd9
--- /dev/null
+++ b/debian/patches/03-reproducible-builds-timestamp.patch
@@ -0,0 +1,25 @@
+Add support for SOURCE_DATE_EPOCH to avoid embedding timestamp in .jar
+file.
+
+https://reproducible-builds.org/docs/source-date-epoch/
+
+Index: apiguardian/build.gradle
+===================================================================
+--- apiguardian.orig/build.gradle
++++ apiguardian/build.gradle
+@@ -8,7 +8,14 @@ plugins {
+ 	id 'signing'
+ }
+ 
+-Date buildTimeAndDate = new Date()
++// https://reproducible-builds.org/docs/source-date-epoch/
++String source_date_epoch = System.getenv("SOURCE_DATE_EPOCH");
++if (source_date_epoch != null) {
++   TimeZone.setDefault(TimeZone.getTimeZone("UTC"))
++}
++Date buildTimeAndDate = source_date_epoch == null ?
++    new Date() :
++    new Date(1000 * Long.parseLong(source_date_epoch))
+ ext {
+ 	buildDate = new SimpleDateFormat('yyyy-MM-dd').format(buildTimeAndDate)
+ 	buildTime = new SimpleDateFormat('HH:mm:ss.SSSZ').format(buildTimeAndDate)
diff --git a/debian/patches/series b/debian/patches/series
index e7ac9c0..fb1a683 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 01-ignore-versioning-plugin.patch
 02-ignore-github-pages-plugin.patch
+03-reproducible-builds-timestamp.patch
-- 
2.32.0

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 990840-submitter@bugs.debian.org (full text, mbox, reply):

From: Tony Mancill <noreply@salsa.debian.org>

To: 990840-submitter@bugs.debian.org

Subject: Bug#990840 marked as pending in apiguardian

Date: Wed, 14 Jul 2021 03:11:33 +0000

Control: tag -1 pending

Hello,

Bug #990840 in apiguardian reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/java-team/apiguardian/-/commit/21f42251ffd86ea1aeb87097a6c1b0d1845eff16

------------------------------------------------------------------------
Apply patch for reproducible builds (Closes: #990840)
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/990840

Message #15 received at 990840-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 990840-close@bugs.debian.org

Subject: Bug#990840: fixed in apiguardian 1.1.0-3

Date: Wed, 14 Jul 2021 03:33:24 +0000

Source: apiguardian
Source-Version: 1.1.0-3
Done: tony mancill <tmancill@debian.org>

We believe that the bug you reported is fixed in the latest version of
apiguardian, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990840@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
tony mancill <tmancill@debian.org> (supplier of updated apiguardian package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 Jul 2021 20:01:12 -0700
Source: apiguardian
Architecture: source
Version: 1.1.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: tony mancill <tmancill@debian.org>
Closes: 990840
Changes:
 apiguardian (1.1.0-3) unstable; urgency=medium
 .
   * Team upload.
   * Apply patch for reproducible builds (Closes: #990840)
   * Use debhelper-compat 13
   * Bump Standards-Version to 4.5.1
   * Set Rules-Requires-Root: no in debian/control
   * Freshen debian/copyright
Checksums-Sha1:
 07b20c595a6a1878444fe81ee9cdfeec6c17d4a5 2049 apiguardian_1.1.0-3.dsc
 6c5f1c3629127347e102b50052109c0bfe3d8914 2496 apiguardian_1.1.0-3.debian.tar.xz
 74a023c9cc60d3448c7a6f94a1324ff6dd0568b7 12096 apiguardian_1.1.0-3_amd64.buildinfo
Checksums-Sha256:
 331258e880c72528e47756f96881ba363b8b2fd3673d1b23d3f8bd27ec69c675 2049 apiguardian_1.1.0-3.dsc
 e08714ef82e0db382fd0eeb1a7d5fe6a30976142aba108437f11aeff93e12218 2496 apiguardian_1.1.0-3.debian.tar.xz
 a9dfc402a66bd128c59aab7870d66ffffc676b32fbd3fc63b4170eefa8572c5f 12096 apiguardian_1.1.0-3_amd64.buildinfo
Files:
 338f19845d0ad84475161f5a47f150f2 2049 java optional apiguardian_1.1.0-3.dsc
 ace8ca32fa85734c198405a62498dee5 2496 java optional apiguardian_1.1.0-3.debian.tar.xz
 c3c4c3fc6c9215bba5cc969396558a2c 12096 java optional apiguardian_1.1.0-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmDuVckUHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpa77g/+Pf2WGcWZs7FAVTcKaRlG9XAbBymZ
3HFJw7QCyHiK1httJlUmH29o6/mn4YzvyyMm+NvUYUrBVVr5f3aPstUB239+fez+
3O+C+CIsay829yw21YWv+up6VUiT/9fR9OI23SMyZ/BjzMxAoyRkQ1aNS++arFHm
SSijyxoU+0abv0HYEDVkQzKbfM7DiO+wy+Mu8sAP/jkcI4rPdGi+wSNRtvHmdRqI
EhJZ/M59Jde9V/ZbXzBZoPKsgIfWrj3YQlILC/Q8I7hKpApykCK1JsUF5N2cpOD7
GH8h3jQn9UTgNqkUfBbRhhvREskMPAgz0hCN9DrScFrW2G+Cedf4cCaEuftqVlid
Lcf7tHApNDJYkwmHBdQ/d5wV1klzvwdXrT4vVwnW4a31oV2zwLsTOrkx6imRBJmo
b4XNJq81eh0mWS0StlrDFUCEpY7h8DooZH7wKQidDkqu+pJPkMIkaiDifXSSgd1l
gOkC56/Jv9Ba/HU7bCDs5mejGhU5C13csfZ4EDJK9FSyPhFV3OUM75arW6/YAoOr
n6iXxuY9fwbiPR0GyhLvuIkhgTzV34/23BvsvxkvaVXq9mS1X+wrG+9Pqnmrh8Yk
aAPDBc6LRZTaIfOq1o39D/YNfwCWzrTGm3Miv9/MMyqnfS0EHTP7KvZd0iPpbXSL
CYY61/WR3cHVTv4=
=LHhx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.