[Pkg-rust-maintainers] Bug#993216: Bug#993216: dh-cargo timestamp fix doesn't cover changelogs installed to /usr/share/doc
James McCoy
jamessan at debian.org
Sun Aug 29 13:12:57 BST 2021
On Sat, Aug 28, 2021 at 06:36:24PM +0100, Ximin Luo wrote:
> plugwash:
> > package: dh-cargo
> >
> > Recently a substantial number of upstream cargo packages started using timestamps the ftpmasters
> > consider reject-worthy, I believe this was done in the name of reproducibility.
> >
>
> On what basis are you forming your belief? Because I worked on reproducibility for a couple of years (and was advising the rustc guys about it), and this method is not suitable for that purpose.
Cargo package[0] uses tar-rs' HeaderMode::Deterministic when adding files
to the tar archive (or an explicit mtime of 1 for generated files).
HeaderMode::Deterministic sets the mtime for the member to a hard-coded
date which was 0 (epoch)[1], then 123456789 (Nov 29, 1973)[2], and now
1153704088 (Jul 23, 2006)[3].
We already had a workaround for the generated files, and further
workarounds were recently added for the non-generated files.
[0]: https://github.com/rust-lang/cargo/blob/bf505afa92245afda23e8f121a34af836789ab2e/src/cargo/ops/cargo_package.rs#L546-L576
[1]: https://github.com/alexcrichton/tar-rs/commit/207be8862216b2f57730b21e10193c9aa5d6eaac
[2]: https://github.com/alexcrichton/tar-rs/commit/e81f172113c44742c9e096c296f3055abd2dfa0b
[3]: https://github.com/alexcrichton/tar-rs/commit/60c6bd81d73fd0e340cfb0e147aae13ce23e18c6
> >From what I gather during previous discussions, some overzealous FTP person ages ago decided to add this over-reaching check, to reject other bad-quality packages, without thinking about the long-term consequences of it. Now we must all suffer the consequences.
The comment in dak around these checks is:
"""check timestamps of files in binary packages
Files in the near future cause ugly warnings and extreme time travel
can cause errors on extraction.
"""
Have you tried discussing this with ftp-team again?
> The correct fix is to undo this injustice, not to leech volunteers' time with this sort of bullshit. Covid has killed several million people in the past couple years due to government incompetence and inaction, I don't want to care about fucking timestamps, ESPECIALLY when it has nothing to do with reproducibility.
The checks from the ftp-team have nothing to do with reproducibility.
That was the justification for the changes done on /Rust's/ side.
The existing code in dh-cargo just sets mtime to $SOURCE_DATE_EPOCH for
files it installs, but other files (like upstream's changelog) are
installed by other debhelper commands.
Maybe we need a dh_cargo-timestamp helper that can be automatically run
just before dh_builddeb to adjust the timestamp for all files in binary
packges?
Cheers,
--
James
GPG Key: 4096R/91BF BF4D 6956 BD5D F7B7 2D23 DFE6 91AE 331B A3DB
More information about the Pkg-rust-maintainers
mailing list