[Reproducible-builds] Common reproducibility problem in your globus packages

[Maria Valentina Marin]

Hi!

While working as part of the Debian reproducible builds team [1] we have
noticed that 30 globus-* packages are affected by timestamps in manpages
generated by doxygen [2].

The reproducible builds team is building packages using a version of
doxygen which has been patched to honour the environment variable
$SOURCE_DATE_EPOCH. This results in doxygen using the last date in
debian/changelog as the timestamp for its man page output which causes
packages to become reproducible [3].

The environment variable $SOURCE_DATE_EPOCH is exported by the debhelper
from our experimental git repository which we have patched such that
packages using dh (debhelper >= 9) in debian/rules become automatically
reproducible.

This unfortunately does not make the globus-* packages reproducible
because they do not use dh as their build system but instead classic
debhelper.

There are two solutions for the globus-* packages:

1. To rewrite debian/rules to use dh
2. Export the environment variable $SOURCE_DATE_EPOCH [4] in their
debian/rules, the line would be:

       export SOURCE_DATE_EPOCH = $(shell date -d
"$$(dpkg-parsechangelog --count 1 -SDate)" +%s)

I am writing to you personally because I do not want to file bugs
against the 30 packages without consulting you on what option you prefer.

Kind Regards,
akira


[1] https://wiki.debian.org/ReproducibleBuilds/About
[2]
https://reproducible.debian.net/issues/unstable/timestamps_in_manpages_generated_by_doxygen_issue.html
[3] https://wiki.debian.org/ReproducibleBuilds/ExperimentalToolchain#doxygen
[4] https://wiki.debian.org/ReproducibleBuilds/TimestampsProposal

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150729/3356887c/attachment.sig>