[Pkg-gnupg-maint] Bug#762397: [Reproducible-builds] Bug#762397: libgpg-error: please do not capture the current time during the build process

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Sep 22 21:27:48 UTC 2014 

Control: tags -1 + pending

On 09/22/2014 04:57 PM, Jérémy Bobbio wrote:
> Jeroen Dekkers:
>> Jérémy actually already wrote a patch for dpkg-buildpackage to export
>> DEB_BUILD_TIMESTAMP:
>>
>> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759999
>>
>> But if we want to push these things upstream, wouldn't it be better to
>> remove the DEB_ prefix from the name of the environment variable?
> 
> This is unrelated. DEB_BUILD_TIMESTAMP is meant to be consumed by dpkg.
> If libgpg-error build system needs to be fed with a timestamp, it would
> need to be through another environment variable. In that case,
> debian/rules should probably take care of feeding the right value.

yep, the patch i've prepared for libgpg-error (now available at the
pkg-gnupg repo[0]) modifies configure.ac to accept a generic env var,
and then sets it from debian/rules.

There might be a few more updates to libgpg-error that i'll roll into
the next debian release, and i want to let 1.16-1 transition to testing
before bumping it in unstable.  I hope to have this fixed in unstable in
a few days.

> But, sincerely, I believe the right move for upstream would be to get
> rid of the embedded timestamp entirely. Embedding a Git commit id would
> make much more sense (and mabye its date) than embedding the time of the
> build.

I've suggested to upstream that dropping the timestamp would also be
another way to go.

> PPS: If we start bikeshedding on every patch, there's not even the
> slightest chance we will get to the point where build reproducibility is
> actually a Debian feature. We need to trust maintainers to do the right
> things.

fwiw, i don't feel like this was bikeshedding.  I'm still learning my
way around the idea of creating reproducible builds, and discussion
about different ways to do things are helpful for me as i gain my
intuitions in this space.

Thanks to everyone for the suggestions and ideas.

	--dkg

[0] git://anonscm.debian.org/pkg-gnupg/libgpg-error.git

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnupg-maint/attachments/20140922/1a3d4ac9/attachment-0001.sig>

More information about the Pkg-gnupg-maint mailing list