[Reproducible-builds] Bug#762674: python-apt: please don't embed the date and time of the build in apt_pkg
Jérémy Bobbio
lunar at debian.org
Wed Sep 24 10:31:19 UTC 2014
Source: python-apt
Version: 0.9.3.10
Severity: wishlist
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: timestamps
Hi!
As part of the “reproducible builds” projects [1], we have discovered
that the apt_pkg module provided by python-apt embeds the date and time
of the build. This makes the build process unreproducible.
We don't believe such timestamps to be useful. In the case of apt_pkg,
it's even a little bit confusing because the values of VERSION and
LIB_VERSION are actually coming from apt, but DATE and TIME will depend
solely on the build time of python-apt.
The attached patch simply removes the DATE and TIME apt_pkg members.
This is the only modification needed to make the package build
reproducible. The sole known user of these members in the Debian archive
in the example script in python-apt, according to codesearch:
http://codesearch.debian.net/search?q=apt_pkg\.DATE
http://codesearch.debian.net/search?q=apt_pkg\.TIME
If the API change is not acceptable, another solution would be to
generate their value from the latest entry of debian/changelog.
[1]: https://wiki.debian.org/ReproducibleBuilds
--
Lunar .''`.
lunar at debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: python-apt_0.9.3.10+reproducible.patch
Type: text/x-diff
Size: 1913 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20140924/065d82d8/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20140924/065d82d8/attachment.sig>
More information about the Reproducible-builds
mailing list