sbuild should use build date as binnmu changelog date

Thu Nov 10 05:49:18 UTC 2016

Hi Ian and reproducible-builds folks,

On Wed, 9 Nov 2016 12:03:48 +0000 Ian Jackson <ijackson at chiark.greenend.org.uk> wrote:
> Currently, when adding a changelog stanza for a binnmu (or when appending to
> the version number is requested for another reason), sbuild uses the existing
> source changelog timestamp when inventing the changelog entry for the binnmu
> itself:
> 
> http://sources.debian.net/src/sbuild/0.72.0-2/lib/Sbuild/Build.pm/#L2005
> 
> This causes problems because it means that (in the usual case) the
> rebuilt package has files with the same timestamps as the previous
> build, but different contents.  So on the end system, the timestamps
> cani be misleading, causing malfunction of backup programs etc.  (Eg
> an upgrade to a binnmu would be captured only partially in a backup,
> leading to lossage.)
> 
> AIUI there were two reasons why this particular timestamp was (might
> have been) chosen:
> 
> Firstly, part of an early attempt to assist multiarch by making all
> the changelogs identical on different architectures.  But in fact, the
> changelog is not identical in any case (because different
> architectures may have differently version-numbered binnmus).  So the
> binnmu changelog entry is nowadays put in a separate file, and need
> not be the same on different architectures.
> 
> Secondly, an attempt to assist reproducible builds.  But the
> reproducible build output necessarily includes the complete binnmu
> changelog entry; therefore the complete binnmu changelog entry is an
> input to a repro-build attempt.  It is indeed contained in the
> Binary-Only-Changes field of the .buildinfo.
> 
> Subsequent binnmu builds of the same package should generate packages
> containing increasing timestamps.  The best timestamp to use is the
> timestamp of the build attempt.
> 
> So, sbuild should use `date -R`[1] instead of the date from the last
> changelog entry in the source package, when generating the binnmu
> changelog entry.
> 
> [1] Actually, sbuild seems to have a tweakable parameter
> "Pkg Start Time" which looks like it would be appropriate, so
> something like this:
>    my $date = strftime_c "%FT%TZ", gmtime($self->get('Pkg Start Time'));

thanks for putting all the relevant information from the original thread on
debian-devel into this bug report in an organized manner!

While "Pkg Start Time" might be a good default, I guess for to be able to
reproduce a binNMU it would be necessary to also allow the user to pass a
custom timestamp.

I propose to add the command line option --binNMU-date and use that or, if the
command line option is not given, the value from the environment variable
SOURCE_DATE_EPOCH.

The --binNMU-date option can then also be used by debrebuild.pl (see #774415).

Does that sound like an acceptable fix?

Thanks!

cheers, josch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20161110/26825f61/attachment.sig>