Bug#1020648: extrepo-data: reproducible builds: Timestamps recorded for all packaged files

Vagrant Cascadian vagrant at reproducible-builds.org
Sat Sep 24 20:44:35 BST 2022 

Source: extrepo-data
Severity: normal
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: timestamps
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org, distro-info at packages.debian.org

It seems extrepo-data embeds different repository information depending
on when it is built, inferring the resolution of the "testing" suite to
a specific named released based on the current date (e.g. bookworm
vs. trixie).

  https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/extrepo-data.html

  usr/share/extrepo/offline-data/debian/trixie/consol.asc
  vs.
  usr/share/extrepo/offline-data/debian/bookworm/consol.asc

This is because extrepo-data calls DebianDistroInfo->new() from
libdistro-info-perl:

  tools/lib/ExtRepoData.pm:my $info = DebianDistroInfo->new();

Which resolves testing to a suite based on the current date.


The attached patch works around this by explicitly passing the codenames
instead of the "testing" suite, though I am not sure the specified
repositories actually exist, so should require further verification
before applying. There may be similar issues with using "stable" suites
as well, though I have not found any examples at the moment.


There are likely better ways to resolve this issue (e.g. adding
SOURCE_DATE_EPOCH support to libdistro-info-perl), though hopefully
someone with a bit more perl skills can tackle that. Specifying suites
explicitly might be better than relying on a "testing" suite that may
change codename regardless of weather libdistro-info-perl is fixed
anyways. (e.g. a security or stable or oldstable update might result in
a package with totally with different respositories).


With this patch applied, extrepo-data should build reproducibly on
tests.reproducible-builds.org!


Thanks for maintaining extrepo-data!


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Avoid-using-testing-which-produces-different-results.patch
Type: text/x-diff
Size: 1567 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20220924/fe5df9bc/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20220924/fe5df9bc/attachment.sig>

More information about the Reproducible-bugs mailing list