Bug#894441: dpkg-buildpackage: SOURCE_DATE_EPOCH must ignore bin-nmu changelog entries. Breaks M-A:same
Philipp Kern
pkern at debian.org
Sat Mar 31 13:05:56 UTC 2018
On 2018-03-30 20:15, Sven Joachim wrote:
> On 2018-03-30 15:02 +0100, Chris Lamb wrote:
>
>> [adding 894441@ to CC]
>>
>> Hi Jean-Michel,
>>
>>> Filled as #894441
>>> https://bugs.debian.org/894441
>>
>> Thanks for this. I was just briefly wondering whether this is related
>> to:
>>
>> https://lists.debian.org/debian-security/2017/05/msg00011.html
>
> It seems so. What you are describing there had been noticed by Ian
> Jackson before:
>
> https://lists.debian.org/debian-devel/2016/11/msg00328.html
>
> Ian then filed bug #843773 against sbuild, and as a result sbuild (as
> of
> version 0.73.0-1) no longer reuses the timestamp of the last changelog
> entry in binNMUs.
>
> The same version of sbuild introduced a --binNMU-timestamp option, and
> I
> think wanna-build should use it to achieve a consistent
> SOURCE_DATE_EPOCH across architectures in binNMUs. Something along
> these lines had already been proposed in #843773.
I'd hold that the sourceful uploads Ubuntu does (XbuildY) are actually a
cleaner solution to the problem. The cute hack is necessary because a)
our policies discourage sourceful NMUs heavily and b) scheduling an
automatic rebuild is more than a simple RPC call and involves a
re-upload of the whole source package.
Right now wanna-build still has no notion of a consistent state across
architectures. So just like version picking is already done in higher
level orchestration (wb) that tool would need to provide the timestamps
as well. Information is also lost whenever new state is merged, although
practically that's probably not a problem here because a new sourceful
build would be pushed to all architectures mostly at once anyway.
Kind regards
Philipp Kern
More information about the Reproducible-builds
mailing list