This is a multi-part MIME message sent by reportbug.
Source: apg
Severity: wishlist
Tags: patch, upstream
X-Debbugs-Cc:
reproducible-bugs@lists.alioth.debian.org
User:
reproducible-builds@lists.alioth.debian.org
Usertags: username
Control: block -1 by 1102758
Dear Maintainer,
This bugreport is a companion to previous bugreports #870890 and #1079041, and (in my opinion) should be blocked until recent bugreport #1102758 is resolved.
Recent rebuilds[1][2] of src:apg have uncovered the possibility for the tarfile metadata of the php.tar.gz file in the resulting binary package to vary based on the build environment.
Recommended guidance[3] from the Reproducible Builds project documentation is to fix the UID and GID in tarball archives to zero, and to use solely numeric owner/group identifiers (omitting string-based usernames/groupnames).
Please find attached a patch to apply these recommendations; I have confirmed that the build succeeds and that solely numeric user/group identifiers are found in the resulting php.tar.gz file after the patch is applied, where previously string-based identifiers were emitted. I'll also offer this as a merge request on Salsa.
Thank you,
James
[1] -
https://reproduce.debian.net/amd64/api/v0/builds/250671/diffoscope
[2] -
https://reproduce.debian.net/arm64/api/v0/builds/159768/diffoscope
[3] -
https://reproducible-builds.org/docs/archives/#users-groups-and-numeric-ids
--- a/debian/rules
+++ b/debian/rules
@@ -22,6 +22,7 @@
mv $(CURDIR)/debian/apg/usr/bin/apg $(CURDIR)/debian/apg/usr/lib/apg/apg
tar --create --verbose --file - --directory $(CURDIR)/php/apgonline/ \
--clamp-mtime --mtime="@$(SOURCE_DATE_EPOCH)" \
+ --owner=0 --group=0 --numeric-owner \
--mode=u=rwX,go=rX --sort=name . | gzip --no-name > php.tar.gz
install -D --mode=0644 php.tar.gz $(CURDIR)/debian/apg/usr/share/doc/apg/php.tar.gz
rm php.tar.gz
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)