[Reproducible-builds] Heads-up! (was: [dpkg] 07/07: Document

Jérémy Bobbio lunar at debian.org
Fri Mar 4 22:44:50 UTC 2016

Jérémy Bobbio:
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,15 @@
> +dpkg ( UNRELEASED; urgency=low
> +
> +  * Use a single timestamp for ar headers when building a .deb.
> +  * Use the common build timestamp for all files created at a later time if
> +    tar supports then --clamp-mtime option.
> +  * Allow to set the build timestamp using SOURCE_DATE_EPOCH.
> +  * Preset build timestamp to latest changelog entry. Closes: #759886, #759999
> +  * Normalize file permissions when creating control.tar. Closes: #787980
> +  * Add support for .buildinfo files. Closes: #138409

This versions implement changes discussed in #138409. One is that we are
now capturing some environment variables in .buildinfo files. In the
case of tests.reproducible-builds.org and the prebuilder script that means
that, as it is, every package would fail to be reproducible with the
current comparison. So I refrained from uploading binaries yet.

Couple of ways out I can think of:

 1. Easy quick fix: use sed to remove .buildinfo from both .changes
    file, then give .changes file to diffoscope.
 2. Slightly more complicated: change diffoscope to ignore most
    fields in .buildinfo files.
 3. More involved: finally add “ignore modules” to diffoscope and
    write a module to ignore most fields in .buildinfo files. I
    would enable such a module by default.

(I won't have time to work on any of this before probably 8-10 days.)

Just for the record, Guillem said on IRC that he was waiting for us to
test the treewalk code before uploading dpkg/1.18.5 which ought to fix
file ordering issues.

Lunar                                .''`. 
lunar at debian.org                    : :Ⓐ  :  # apt-get install anarchism
                                    `. `'` 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20160304/ca12a772/attachment.sig>

More information about the Reproducible-builds mailing list