[Pkg-javascript-devel] Bug#947074: upstream tarballs for certain components contain unreasonably timestamped files
Paolo Greppi
paolo.greppi at libpf.com
Fri Dec 20 15:35:34 GMT 2019
Yes, those files get the timestamp from the upstream tarballs.
To reproduce:
dget https://deb.debian.org/debian/pool/main/n/node-yarnpkg/node-yarnpkg_1.21.1-1.dsc
ls -R --full-time node-yarnpkg-1.21.1/ | egrep -v '( 2019-| 2018-| 2017-| 2016)'
It could be fixed by re-uploading the tarballs with fixed timestamps, but I prefer to stick with upstream tarballs as-they-are ("source reproducibility").
So I propose to patch it by adding commands in d/rules auch as:
find dnscache/ | xargs touch
find hash-for-dep/ | xargs touch
find normalize-url/ | xargs touch
find npm-logical-tree/ | xargs touch
find query-string/ | xargs touch
find resolve-package-path/ | xargs touch
find string-replace-loader/ | xargs touch
find tar-fs/ | xargs touch
find v8-compile-cache/ | xargs touch
Any comments from the submitter or from the js-team ?
Paolo
More information about the Pkg-javascript-devel
mailing list