Bug#1059576: geophar: please make the build reproducible

James Addison jay at jp-hosting.net
Thu Dec 28 15:51:15 GMT 2023 

Source: geophar
Version: 18.10+dfsg1-1
Severity: wishlist
Tags: patch
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
Control: user -1 reproducible-builds at lists.alioth.debian.org

Dear Maintainer,

I'm an occasional volunteer to the Reproducible Builds[0] project and
noticed that your package 'geophar' failed to build reproducibly recently
during automated testing.

The reproducible-builds tests build projects with varying environment
configuration (locale, shell, username, ...) and in the case of 'geophar' it
seems that differing timezones (env var TZ) caused the build to emit different
results.

The cause seems to be the version-replacement code in 'debian/rules' that
embeds the latest version and date from the Debian changelog (sensible) into
the packaged version information.

Extracting some scripting from geophar-18.10+dfsg1 and re-running it for some
widely-separated timezones I confirmed that the resulting output differs:

  $ TZ='Etc/GMT+12' date --date=@$(dpkg-parsechangelog --show-field Timestamp) +"%Y, %-m, %-d"
  2023, 10, 4
  $ TZ='Etc/GMT-14' date --date=@$(dpkg-parsechangelog --show-field Timestamp) +"%Y, %-m, %-d"
  2023, 10, 6

Since the Debian changelog version is parsed as a Unix timestamp (integer
seconds since 1970-01-01), I think it should be safe to request that the 'date'
command emit an output that is localized to the UTC timezone, creating a stable
output:

  $ TZ='Etc/GMT+12' date --utc --date=@$(dpkg-parsechangelog --show-field Timestamp) +"%Y, %-m, %-d"
  2023, 10, 5
  $ TZ='Etc/GMT-14' date --utc --date=@$(dpkg-parsechangelog --show-field Timestamp) +"%Y, %-m, %-d"
  2023, 10, 5

Please find attached a patch to achieve this result for the package.

Thank you,
James

[0] - https://reproducible-builds.org/
-------------- next part --------------
diff --git a/debian/rules b/debian/rules
index d534751..05a29a5 100755
--- a/debian/rules
+++ b/debian/rules
@@ -54,7 +54,7 @@ override_dh_install:
 	  sed -i 's%https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML%http://localhost/javascript/mathjax/MathJax.js%' $$f; \
 	done
 	# modify the version number
-	date=$$(date --date="@$$(dpkg-parsechangelog --show-field Timestamp)" +"(%Y, %-m, %-d)"); \
+	date=$$(date --utc --date="@$$(dpkg-parsechangelog --show-field Timestamp)" +"(%Y, %-m, %-d)"); \
 	version=$$(dpkg-parsechangelog --show-field Version); \
 	fileToChange=debian/geophar/usr/share/geophar/wxgeometrie/version.py; \
 	echo version = $$version, date_version = $$date; \

More information about the Reproducible-bugs mailing list