• Bug#1102760: apg: please make the build reproducible (username)

    From James Addison@21:1/5 to All on Sat Apr 12 18:30:03 2025
    This is a multi-part MIME message sent by reportbug.


    Source: apg
    Severity: wishlist
    Tags: patch, upstream
    X-Debbugs-Cc: reproducible-bugs@lists.alioth.debian.org
    User: reproducible-builds@lists.alioth.debian.org
    Usertags: username
    Control: block -1 by 1102758

    Dear Maintainer,

    This bugreport is a companion to previous bugreports #870890 and #1079041, and (in my opinion) should be blocked until recent bugreport #1102758 is resolved.

    Recent rebuilds[1][2] of src:apg have uncovered the possibility for the tarfile metadata of the php.tar.gz file in the resulting binary package to vary based on the build environment.

    Recommended guidance[3] from the Reproducible Builds project documentation is to fix the UID and GID in tarball archives to zero, and to use solely numeric owner/group identifiers (omitting string-based usernames/groupnames).

    Please find attached a patch to apply these recommendations; I have confirmed that the build succeeds and that solely numeric user/group identifiers are found in the resulting php.tar.gz file after the patch is applied, where previously string-based identifiers were emitted. I'll also offer this as a merge request on Salsa.

    Thank you,
    James

    [1] - https://reproduce.debian.net/amd64/api/v0/builds/250671/diffoscope

    [2] - https://reproduce.debian.net/arm64/api/v0/builds/159768/diffoscope

    [3] - https://reproducible-builds.org/docs/archives/#users-groups-and-numeric-ids

    --- a/debian/rules
    +++ b/debian/rules
    @@ -22,6 +22,7 @@
    mv $(CURDIR)/debian/apg/usr/bin/apg $(CURDIR)/debian/apg/usr/lib/apg/apg
    tar --create --verbose --file - --directory $(CURDIR)/php/apgonline/ \
    --clamp-mtime --mtime="@$(SOURCE_DATE_EPOCH)" \
    + --owner=0 --group=0 --numeric-owner \
    --mode=u=rwX,go=rX --sort=name . | gzip --no-name > php.tar.gz
    install -D --mode=0644 php.tar.gz $(CURDIR)/debian/apg/usr/share/doc/apg/php.tar.gz
    rm php.tar.gz

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From James Addison@21:1/5 to All on Sat Apr 12 19:00:01 2025
    Source: apg
    Followup-For: Bug #1102760
    Control: forwarded -1 https://salsa.debian.org/debian/apg/-/merge_requests/1

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)