[Reproducible-builds] GSoC 2015 Week 9: Move forward reproducible builds

Sat Jul 25 12:50:23 UTC 2015

Hi,

This week I have patched the two remaining packages tagged by the issue
timestamps_difference_by_unzip [1], plus another one also affected by this
issue which wasn't tagged:

- torbutton
    https://bugs.debian.org/793126
- pdf.js
    https://bugs.debian.org/793127
- deejayd
    https://bugs.debian.org/793300

I have been looking at a package affected by timestamps in zip (moin). I
managed to get rid of some of the unreproducibility issues: the timestamps in
the metadata shown by zipinfo, out of which some are files mtimes that differ
by timezone (solved by settings TZ=UTC before zip/unzip calls), and others are
localtime timestamps (solved by replacing timestamps with SOURCE_DATE_EPOCH).
After this, some differences still appear, now not seen by zipinfo but in the
file treated in binary form. This package adds files to zip through a python
script during the build. It requieres further study.

I have also studied the issue pdf_created_by_ghostscript [2] which has 18
unreproducible affected packages. There was a tentative patch for ghostcript in
our git repository from January, but it had never been submited. The patch
allowed the embedded timestamps to be replaced by an exported variable,
originally DEB_BUILD_TIMESTAMP, which I changed to SOURCE_DATE_EPOCH to follow
our current normalized timestamp proposal. I have also added code to normalize
the timezone to UTC in case SOURCE_DATE_EPOCH is used, so that the results are
timezone invariant. The commit with the patch can be found at:
https://anonscm.debian.org/cgit/reproducible/ghostscript.git/commit/?h=pu/reproducible_builds

I have also uploaded the package in our APT repository.

I have tested this patched ghostscript with some of the packages affected by
pdf_created_by_ghostscript. Unluckily none of them become reproducible without
any change. This is because the commands to generate the documentation that use
ghostscript don't happen under dh, which currently is the only place where
SOURCE_DATE_ECPOH is automatically exported. Upon exporting this variable
manually in debian/rules, I obtained the following results:

- glosstex (becomes reproducible)
- kimwitu++ (timestamp differences from ghostscript disappear. Remaining
  timestamps come from pdflatex due to timezone variation, akira is working on
  that)
- autoconf (timestamp differences from ghostscript disappear. Remaining
  timestamps come from other places, further inspection requiered)
- cvs (same results obtained, it seems this package was misstagged and actually
  uses latex to produce pdfs)
- proxy-suite (becomes reproducible)
- lprng-doc (becomes reproducible)
- gstreamer1.0 (timestamp differences from ghostscript disappear. Variable
  timestamps in .ps files remain, further inspection requiered)
- transfig (timestamp differences from ghostscript disappear. Remaining
  timestamps come from pdflatex due to timezone variation, akira is working on
  that)

For next week I plan to send the ghostscript patches to debian and probably
upstream. I'll look further at the remaining issues from the packages I studied
this week (the ones affected by pdf_created_by_ghostscript). I may continue
looking into moin.

[1]
https://reproducible.debian.net/issues/unstable/timestamps_difference_by_unzip_issue.html
[2] https://reproducible.debian.net/issues/pdf_created_by_ghostscript_issue.html

Best regards,
Dhole
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150725/b401cf33/attachment.sig>