make deb packages reproducible by NOT having gzipped time-stamp.

[shirishag75]

Hi there,

I'm sure you have heard about reproducible builds . I ran lintian over a package mars-sim and found it generated quite a few warnings, as shown in mars-sim bug-tracker . Talking with reproducible-builds debian upstream came to know that it may well be because of src/main/java/org/vafer/jdeb/DebMaker.java . Please take a look at it.

[ebourg]

Hi,

In this case the .gz files weren't generated by jdeb, so unless jdeb reimplements strip-nondeterminism there isn't much we can do.

[tbroyer]

AFAICT, overwriting archive entries' modTime to 0 would help, and might even be enough. (there are a few uses of new Date() in DebMaker, but AFAICT only when signing with dpkg-sig method or generating the changes file)

[ebourg]

Supporting the SOURCE_DATE_EPOCH environment variable would be good too.

[tbroyer]

FWIW, it looks to me like Mappers could set modTime (when jdeb is used from other tools, e.g. Nebula plugins for Gradle), but there does not seem to be a way to do this for control files.

As far as I'm concerned, adding some API such that this could be controlled at least for control files could be enough; the Nebula plugin for Gradle could then take advantage of it to respect Gradle's preserveFileTimestamps (I can't tell about the ordering of control files in jdeb, but content files are all handled by Gradle AFAICT so should –didn't actually checked– already respect reproducibleFileOrder). See https://docs.gradle.org/3.4/userguide/working_with_files.html#sec:reproducible_archives (which applies to JARs, WARs, EARs, ZIPs and TARs –builtin archive types–, but not DEBs –or RPMs for that matters)