[Reproducible-builds] Bug#793126: torbutton: please support timestamps from environment

Dhole dhole at openmailbox.org
Tue Jul 21 14:18:27 UTC 2015 

Source: torbutton
Version: 1.4.6.3-1
Severity: wishlist
Tags: patch
User: reproducible-builds at lists.alioth.debian.org
Usertags: timestamps
X-Debbugs-Cc: reproducible-builds at lists.alioth.debian.org

Hi,

While working on the "reproducible builds" effort [1], we have noticed
that torbutton could not be built reproducibly.

The attached patch removes timezone-varying timestamps from the
files compressed with zip. Once applied, torbutton can be built
reproducibly in our current experimental framework.

 [1]: https://wiki.debian.org/ReproducibleBuilds


Regards,
-- 
Dhole
-------------- next part --------------
diff -Nru torbutton-1.4.6.3/debian/changelog torbutton-1.4.6.3/debian/changelog
--- torbutton-1.4.6.3/debian/changelog	2012-10-16 21:22:39.000000000 +0200
+++ torbutton-1.4.6.3/debian/changelog	2015-07-21 00:35:00.000000000 +0200
@@ -1,3 +1,11 @@
+torbutton (1.4.6.3-1.1) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * add TZ=UTC before zip in makexpi.sh to make the files mtime 
+    invariant to timezone to make the package build reproducibly.
+
+ -- Dhole <dhole at openmailbox.org>  Tue, 21 Jul 2015 00:34:36 +0200
+
 torbutton (1.4.6.3-1) unstable; urgency=high
 
   * New upstream release:
diff -Nru torbutton-1.4.6.3/debian/patches/fix-timezone-in-zip torbutton-1.4.6.3/debian/patches/fix-timezone-in-zip
--- torbutton-1.4.6.3/debian/patches/fix-timezone-in-zip	1970-01-01 01:00:00.000000000 +0100
+++ torbutton-1.4.6.3/debian/patches/fix-timezone-in-zip	2015-07-21 00:36:48.000000000 +0200
@@ -0,0 +1,18 @@
+Description: Fix timezone before calling zip
+Author: Dhole <dhole at openmailbox.org>
+
+---
+
+--- torbutton-1.4.6.3.orig/makexpi.sh
++++ torbutton-1.4.6.3/makexpi.sh
+@@ -18,8 +18,8 @@ cd ../..
+ # create .xpi
+ echo ---------- create $APP_NAME.xpi ----------
+ cd src
+-echo zip -X -9r ../pkg/$XPI_NAME ./ -x "certDialogsOverride.js" -x "chrome/*" -x "*.diff" -x "*.svn/*"
+-zip -X -9r ../pkg/$XPI_NAME ./ -x "components/certDialogsOverride.js" -x "*.svn/*" -x "*.diff" -x "components/torRefSpoofer.js" #-x "chrome/*"
++echo TZ=UTC zip -X -9r ../pkg/$XPI_NAME ./ -x "certDialogsOverride.js" -x "chrome/*" -x "*.diff" -x "*.svn/*"
++TZ=UTC zip -X -9r ../pkg/$XPI_NAME ./ -x "components/certDialogsOverride.js" -x "*.svn/*" -x "*.diff" -x "components/torRefSpoofer.js" #-x "chrome/*"
+ #mv ../$APP_NAME.jar ./chrome
+ #zip -9m ../pkg/$XPI_NAME chrome/$APP_NAME.jar
+ cd ..
diff -Nru torbutton-1.4.6.3/debian/patches/series torbutton-1.4.6.3/debian/patches/series
--- torbutton-1.4.6.3/debian/patches/series	2012-10-16 21:22:39.000000000 +0200
+++ torbutton-1.4.6.3/debian/patches/series	2015-07-21 00:36:30.000000000 +0200
@@ -1,3 +1,4 @@
 localhost-proxy.patch
 restore-status-panel-on-ff4.patch
 disable-locked-mode.patch
+fix-timezone-in-zip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150721/53c0cb6f/attachment.sig>

More information about the Reproducible-builds mailing list