Re: Building Debian source packages reproducibly
On 2019-10-28 10:05 +0100, Didier 'OdyX' Raboud wrote:
> Le mercredi, 23 octobre 2019, 15.49:11 h CET Theodore Y. Ts'o a écrit :
>> On Wed, Oct 23, 2019 at 11:18:24AM +1000, Russell Stuart wrote:
>> > On Tue, 2019-10-22 at 16:52 -0700, Russ Allbery wrote:
>> > > That seems excessively pessimistic. What about Git makes you think
>> > > it's impossible to create a reproducible source package?
>> > Has it been done? Given this point has been raised several times
>> > before if it hasn't been done by now I think it's reasonable to assume
>> > it's difficult, and thinking that it's so is not excessively
>> > pessimistic.
>> Generating a reproducible source package given a particuar git commit
>> is trivial. All you have to do is use "git archive". For example:
> When talking about upstream projects, sure.
> But generating Debian source packages (.dsc and friends) from a
> `debian/master` (+ `pristine-tar`) reproducibly is not really, right?
> As far as I understand, `gbp buildpackage -S` is the closest we have, but so
> far, I fail to get it to give me the bit-by-bit identical unsigned .dsc that
> I'd like to get. What am I missing?
Assuming format 3.0 (quilt): timestamps and permissions of files under
the debian/ directory. The permissions of files in the git repository
are different from user to user (mostly depending on their umask), and
are propagated to the debian.tar.xz.
When building from a fresh clone, timestamps of files in the
debian.tar.xz should be set to the date of the latest debian/changelog
entry, as dpkg-source will clamp their mtimes to that value. But in an
existing git repository there will likely be files older than that, and
their random mtime also propagates to the debian.tar.xz.