Bug#1020648: extrepo-data: reproducible builds: Timestamps recorded for all packaged files
Vagrant Cascadian
vagrant at reproducible-builds.org
Sat Sep 24 20:44:35 BST 2022
Source: extrepo-data
Severity: normal
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: timestamps
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org, distro-info at packages.debian.org
It seems extrepo-data embeds different repository information depending
on when it is built, inferring the resolution of the "testing" suite to
a specific named released based on the current date (e.g. bookworm
vs. trixie).
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/amd64/diffoscope-results/extrepo-data.html
usr/share/extrepo/offline-data/debian/trixie/consol.asc
vs.
usr/share/extrepo/offline-data/debian/bookworm/consol.asc
This is because extrepo-data calls DebianDistroInfo->new() from
libdistro-info-perl:
tools/lib/ExtRepoData.pm:my $info = DebianDistroInfo->new();
Which resolves testing to a suite based on the current date.
The attached patch works around this by explicitly passing the codenames
instead of the "testing" suite, though I am not sure the specified
repositories actually exist, so should require further verification
before applying. There may be similar issues with using "stable" suites
as well, though I have not found any examples at the moment.
There are likely better ways to resolve this issue (e.g. adding
SOURCE_DATE_EPOCH support to libdistro-info-perl), though hopefully
someone with a bit more perl skills can tackle that. Specifying suites
explicitly might be better than relying on a "testing" suite that may
change codename regardless of weather libdistro-info-perl is fixed
anyways. (e.g. a security or stable or oldstable update might result in
a package with totally with different respositories).
With this patch applied, extrepo-data should build reproducibly on
tests.reproducible-builds.org!
Thanks for maintaining extrepo-data!
live well,
vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Avoid-using-testing-which-produces-different-results.patch
Type: text/x-diff
Size: 1567 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20220924/fe5df9bc/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-bugs/attachments/20220924/fe5df9bc/attachment.sig>
More information about the Reproducible-bugs
mailing list