[Debian-on-mobile-maintainers] Bug#1066088: koko-data: please make the build reproducible.

James Addison jay at jp-hosting.net
Tue Mar 12 12:59:03 GMT 2024 

Package: koko-data
Severity: wishlist
Tags: patch upstream
X-Debbugs-Cc: 
User: reproducible-builds at lists.alioth.debian.org
Usertags: timestamps

Dear Maintainer,

I'm an occasional volunteer contributor to the Reproducible Builds[1] project,
and noticed recently that the koko-data package failed some automated Debian
package reproducibility tests[2][3].

It looks like the cause of the non-reproducibility is that a zipfile extracted
by libarchive (as used internally by cmake) during the build is output with a
differing mtime based on the timezone that the build occurs in, since zipfiles
are written with file modification times based on the local system they were
created on.  Some discussion of this behaviour can be found[4] on the
libarchive bugtracker.

Please find attached a patch to temporarily use a fixed (UTC) timezone during
the relevant unzip step of the build process; I've confirmed that this results
in a fixed output mtime for the cities1000.txt file when building in different
timezones using dpkg-buildpackage on trixie.  I'll also offer this as a merge
request on Salsa.

Thank you,
James

[1] - https://reproducible-builds.org

[2] - https://tests.reproducible-builds.org/debian/rb-pkg/unstable/arm64/diffoscope-results/koko.html

[3] - https://salsa.debian.org/DebianOnMobile-team/koko/-/jobs/5423718

[4] - https://github.com/libarchive/libarchive/issues/945
-------------- next part --------------
From: James Addison <jay at jp-hosting.net>
Date: Tue, 12 Mar 2024 11:37:43 +0000
Subject: unzip the cities1000.zip file using a fixed timezone

Zipfiles are not timezone-aware; that is, files are typically written to a zip
archive with modification-times that are determined from the local system time.
.
That means that extracting the same zipfile in two different timezones may
produce different output file modification-times.  This occurs when libarchive
(as used by cmake) extracts the cities1000.zip file when building this package.
.
To build the package reproducibly, this patch temporarily configures a fixed
timezone of UTC during extraction of the cities1000.zip zipfile.
.
Ref: https://github.com/libarchive/libarchive/issues/945

---

--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -145,7 +145,7 @@ if (NOT EXISTS ${CMAKE_CURRENT_BINARY_DIR}/cities1000.zip)
 endif()
 
 execute_process(
-    COMMAND ${CMAKE_COMMAND} -E tar -xzf ${CMAKE_CURRENT_BINARY_DIR}/cities1000.zip
+    COMMAND env TZ=UTC ${CMAKE_COMMAND} -E tar -xzf ${CMAKE_CURRENT_BINARY_DIR}/cities1000.zip
     WORKING_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}
 )

More information about the Debian-on-mobile-maintainers mailing list