[Reproducible-commits] [dpkg] 20/33: Dpkg::Source::Archive: Add support for reproducible source packages

Mon Aug 1 10:25:58 UTC 2016

This is an automated email from the git hooks/post-receive script.

mattia pushed a commit to branch master
in repository dpkg.

commit d959233560317459336d39197f515c2042472762
Author: Guillem Jover <guillem at debian.org>
Date:   Sun Jul 17 18:54:18 2016 +0200

    Dpkg::Source::Archive: Add support for reproducible source packages
    
    Clamp the mtime of the source files when building the tarball to the
    first defined value from the source_date option, SOURCE_DATE_EPOCH
    environment variable or time().
    
    This makes sure the generated source tarballs always contain the same
    mtime for files or directories that have been modified during the build.
---
 debian/changelog               | 3 +++
 debian/control                 | 7 ++++++-
 scripts/Dpkg/Source/Archive.pm | 5 ++++-
 3 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 297c9ff..0267379 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -9,6 +9,9 @@ dpkg (1.18.10) UNRELEASED; urgency=medium
     Regression introduced in dpkg 1.18.8. Closes: #830267
   * Perl modules:
     - Disable fixdebugpath feature on unsafe characters in the path.
+    - Generate reproducible source tarballs by using the new GNU tar
+      --clamp-mtime option in Dpkg::Source::Archive, to make sure no file
+      in source packages has an mtime later than the changelog entry time.
   * Documentation:
     - Document Testsuite-Triggers in dsc(5).
     - Fix deb-changes(5) description to talk about .changes instead of .dsc.
diff --git a/debian/control b/debian/control
index b2b322c..c29e07c 100644
--- a/debian/control
+++ b/debian/control
@@ -50,7 +50,12 @@ Section: utils
 Priority: optional
 Architecture: all
 Multi-Arch: foreign
-Depends: libdpkg-perl (= ${source:Version}), bzip2, xz-utils,
+Depends:
+ libdpkg-perl (= ${source:Version}),
+# Needed for --clamp-mtime.
+ tar (>= 1.28-1),
+ bzip2,
+ xz-utils,
  patch (>= 2.7), make, binutils, base-files (>= 5.0.0), ${misc:Depends}
 Recommends: gcc | c-compiler, build-essential, fakeroot,
  gnupg | gnupg2, gpgv | gpgv2, libalgorithm-merge-perl
diff --git a/scripts/Dpkg/Source/Archive.pm b/scripts/Dpkg/Source/Archive.pm
index 0490fc7..3810f4e 100644
--- a/scripts/Dpkg/Source/Archive.pm
+++ b/scripts/Dpkg/Source/Archive.pm
@@ -46,9 +46,12 @@ sub create {
     $self->ensure_open('w');
     $spawn_opts{to_handle} = $self->get_filehandle();
     $spawn_opts{from_pipe} = \*$self->{tar_input};
+    # Try to use a deterministic mtime.
+    my $mtime = $opts{source_date} // $ENV{SOURCE_DATE_EPOCH} // time;
     # Call tar creation process
     $spawn_opts{delete_env} = [ 'TAR_OPTIONS' ];
-    $spawn_opts{exec} = [ 'tar', '-cf', '-', '--format=gnu', '--null',
+    $spawn_opts{exec} = [ 'tar', '-cf', '-', '--format=gnu',
+                          '--mtime', "\@$mtime", '--clamp-mtime', '--null',
                           '--numeric-owner', '--owner=0', '--group=0',
                           @{$opts{options}}, '-T', '-' ];
     *$self->{pid} = spawn(%spawn_opts);

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git

