Bug#1102760: apg: please make the build reproducible (username)

[James Addison]

Source: apg
Severity: wishlist
Tags: patch, upstream
X-Debbugs-Cc: reproducible-bugs at lists.alioth.debian.org
User: reproducible-builds at lists.alioth.debian.org
Usertags: username
Control: block -1 by 1102758

Dear Maintainer,

This bugreport is a companion to previous bugreports #870890 and #1079041, and
(in my opinion) should be blocked until recent bugreport #1102758 is resolved.

Recent rebuilds[1][2] of src:apg have uncovered the possibility for the tarfile
metadata of the php.tar.gz file in the resulting binary package to vary based
on the build environment.

Recommended guidance[3] from the Reproducible Builds project documentation is
to fix the UID and GID in tarball archives to zero, and to use solely numeric
owner/group identifiers (omitting string-based usernames/groupnames).

Please find attached a patch to apply these recommendations; I have confirmed
that the build succeeds and that solely numeric user/group identifiers are
found in the resulting php.tar.gz file after the patch is applied, where
previously string-based identifiers were emitted.  I'll also offer this as a
merge request on Salsa.

Thank you,
James

[1] - https://reproduce.debian.net/amd64/api/v0/builds/250671/diffoscope

[2] - https://reproduce.debian.net/arm64/api/v0/builds/159768/diffoscope

[3] - https://reproducible-builds.org/docs/archives/#users-groups-and-numeric-ids
-------------- next part --------------
--- a/debian/rules
+++ b/debian/rules
@@ -22,6 +22,7 @@
 	mv $(CURDIR)/debian/apg/usr/bin/apg $(CURDIR)/debian/apg/usr/lib/apg/apg
 	tar --create --verbose --file - --directory $(CURDIR)/php/apgonline/ \
 	  --clamp-mtime --mtime="@$(SOURCE_DATE_EPOCH)" \
+	  --owner=0 --group=0 --numeric-owner \
 	  --mode=u=rwX,go=rX --sort=name . | gzip --no-name > php.tar.gz
 	install -D --mode=0644 php.tar.gz $(CURDIR)/debian/apg/usr/share/doc/apg/php.tar.gz
 	rm php.tar.gz