Strange things with timestamps on Debian (sudo)

Wed Mar 16 16:54:04 UTC 2022

[tl;dr building with faketime yields Debian package with timestamps
different from building without faketime, causing reprotest to fail]

Hi,

nice to meet you. I am one of the Debian maintainers of sudo and I have
a problem with getting sudo built reproducibly. This message is full of
Debian stuff, but I didn't find any reproducible-builds related mailing
list in Debian. Please direct me to the appropriate list if I'm wrong
here.

sudo is on salsa, https://salsa.debian.org/sudo-team/sudo, and uses
salsa-ci pipelines for Continuous Integration. One of the tests that
salsa-ci does is running reprotest to test for reproducibility. With the
adorable help of Upstream, it was possible to get sudo to at least build
in the nasty reprotest variant environments, but the results are sadly
not reproducible and I am at a loss about what the Debian maintainers
can do here.

The following results have been prepared with help from
#debian-reproducible.

The problem is, that in the sudo-ldap package, some files in
/usr/share/doc/sudo-ldap end up in the package with different time
stamps if one of the build processes is run with faketime.

For the demonstration, the debian/changelog timestamp was set to the
current time, 16 Mar 2022 16:13:33 +0100. It is sufficient to just use
faketime, keeping Timezone and locale to the current, normal values.

When the package is built with
$ faketime +362days+9hours+47minutes debian/rules binary
the software gets installed to debian/sudo-ldap/usr/share/doc/sudo-ldap,
yielding the following directory listing:
[3/4997]mh at salida:~/packages/sudo/build-area/faketime $ ls -al
sudo-1.9.10/debian/sudo-ldap/usr/share/doc/sudo-ldap/
total 752K
drwxr-xr-x 3 root root 4,0K Mär 16 16:21 ./
drwxr-xr-x 3 root root 4,0K Mär 16 16:21 ../
-rw-r--r-- 1 root root  17K Mär 14  2023 changelog.Debian.gz
-rw-r--r-- 1 root root 594K Mär  1  2023 changelog.gz
-rw-r--r-- 1 root root 2,9K Mär 16 16:21 CONTRIBUTING.md
-rw-r--r-- 1 root root 2,6K Mär 14  2023 CONTRIBUTORS.md.gz
-rw-r--r-- 1 root root 7,7K Mär 16 16:13 copyright
drwxr-xr-x 2 root root 4,0K Mär 16 16:21 examples/
-rw-r--r-- 1 root root 3,0K Mär 16 16:21 HISTORY.md
-rw-r--r-- 1 root root 1,1K Mär 14  2023 NEWS.Debian.gz
-rw-r--r-- 1 root root  48K Mär 14  2023 NEWS.gz
-rw-r--r-- 1 root root 1,5K Mär 14  2023 OPTIONS
-rw-r--r-- 1 root root 2,9K Mär 10  2024 README.LDAP.md.gz
-rw-r--r-- 1 root root 3,5K Mär  1  2023 README.md
-rw-r--r-- 1 root root 1,5K Jan 22  2024 schema.ActiveDirectory.gz
-rw-r--r-- 1 root root 2,3K Jan 25  2023 schema.iPlanet
-rw-r--r-- 1 root root 2,7K Jan 25  2023 schema.olcSudo
-rw-r--r-- 1 root root 2,5K Jan 25  2023 schema.OpenLDAP
-rw-r--r-- 1 root root 2,0K Mär 16 16:21 SECURITY.md
-rw-r--r-- 1 root root 5,9K Mär 14  2023 TROUBLESHOOTING.md.gz
-rw-r--r-- 1 root root 8,5K Mär 14  2023 UPGRADE.md.gz

Notice some timestamps being set to the future due to the faketime call.
I duly notice that not all file times get set to the future the same
way, see schema.ActiveDirectory.gz, README.LDAP.md.gz and
schema.iPlanet.

When I unpack the deb (dpkg-deb -x sudo-ldap*.deb sudo-ldap), this all
ends up being reset to the changelog timestamp:
[4/4998]mh at salida:~/packages/sudo/build-area/faketime $ ls -al
sudo-ldap/usr/share/doc/sudo-ldap/
total 752K
drwxr-xr-x 3 mh mh 4,0K Mär 16 16:13 ./
drwxr-xr-x 3 mh mh 4,0K Mär 16 16:13 ../
-rw-r--r-- 1 mh mh  17K Mär 16 16:13 changelog.Debian.gz
-rw-r--r-- 1 mh mh 594K Mär 16 16:13 changelog.gz
-rw-r--r-- 1 mh mh 2,9K Mär 16 16:13 CONTRIBUTING.md
-rw-r--r-- 1 mh mh 2,6K Mär 16 16:13 CONTRIBUTORS.md.gz
-rw-r--r-- 1 mh mh 7,7K Mär 16 16:13 copyright
drwxr-xr-x 2 mh mh 4,0K Mär 16 16:13 examples/
-rw-r--r-- 1 mh mh 3,0K Mär 16 16:13 HISTORY.md
-rw-r--r-- 1 mh mh 1,1K Mär 16 16:13 NEWS.Debian.gz
-rw-r--r-- 1 mh mh  48K Mär 16 16:13 NEWS.gz
-rw-r--r-- 1 mh mh 1,5K Mär 16 16:13 OPTIONS
-rw-r--r-- 1 mh mh 2,9K Mär 16 16:13 README.LDAP.md.gz
-rw-r--r-- 1 mh mh 3,5K Mär 16 16:13 README.md
-rw-r--r-- 1 mh mh 1,5K Mär 16 16:13 schema.ActiveDirectory.gz
-rw-r--r-- 1 mh mh 2,3K Mär 16 16:13 schema.iPlanet
-rw-r--r-- 1 mh mh 2,7K Mär 16 16:13 schema.olcSudo
-rw-r--r-- 1 mh mh 2,5K Mär 16 16:13 schema.OpenLDAP
-rw-r--r-- 1 mh mh 2,0K Mär 16 16:13 SECURITY.md
-rw-r--r-- 1 mh mh 5,9K Mär 16 16:13 TROUBLESHOOTING.md.gz
-rw-r--r-- 1 mh mh 8,5K Mär 16 16:13 UPGRADE.md.gz

I guess this is done by dpkg-deb creating the actual deb as this is
documented to use the SOURCE_DATE_EPOCH environment variable, which gets
set by debhelper, to clamp the mtime (whatever this means).
tar's --clamp-mtime option is documented as "Only set time when the file
is more recent than what was given with --mtime." I guess that tar is
invoked with --mtime $SOURCE_DATE_EPOCH and all the timestamps getting
reset since there is no timestamp in the past.

However, when I build without faketime, this is different. Here is the
raw directory:
[46/5030]mh at salida:~/packages/sudo/build-area/notime $ ls -al
sudo-1.9.10/debian/sudo-ldap/usr/share/doc/sudo-ldap/
total 752K
drwxr-xr-x 3 root root 4,0K Mär 16 16:26 ./
drwxr-xr-x 3 root root 4,0K Mär 16 16:25 ../
-rw-r--r-- 1 root root  17K Mär 16 16:13 changelog.Debian.gz
-rw-r--r-- 1 root root 594K Mär  3 19:33 changelog.gz
-rw-r--r-- 1 root root 2,9K Mär 16 16:25 CONTRIBUTING.md
-rw-r--r-- 1 root root 2,6K Mär 16 16:25 CONTRIBUTORS.md.gz
-rw-r--r-- 1 root root 7,7K Mär 16 16:13 copyright
drwxr-xr-x 2 root root 4,0K Mär 16 16:25 examples/
-rw-r--r-- 1 root root 3,0K Mär 16 16:25 HISTORY.md
-rw-r--r-- 1 root root 1,1K Mär 16 16:13 NEWS.Debian.gz
-rw-r--r-- 1 root root  48K Mär 16 16:25 NEWS.gz
-rw-r--r-- 1 root root 1,5K Mär 16 16:13 OPTIONS
-rw-r--r-- 1 root root 2,9K Mär 16 16:14 README.LDAP.md.gz
-rw-r--r-- 1 root root 3,5K Mär  3 19:29 README.md
-rw-r--r-- 1 root root 1,5K Jan 27 22:24 schema.ActiveDirectory.gz
-rw-r--r-- 1 root root 2,3K Jan 27 22:24 schema.iPlanet
-rw-r--r-- 1 root root 2,7K Jan 27 22:24 schema.olcSudo
-rw-r--r-- 1 root root 2,5K Jan 27 22:24 schema.OpenLDAP
-rw-r--r-- 1 root root 2,0K Mär 16 16:25 SECURITY.md
-rw-r--r-- 1 root root 5,9K Mär 16 16:25 TROUBLESHOOTING.md.gz
-rw-r--r-- 1 root root 8,5K Mär 16 16:25 UPGRADE.md.gz

where we have, for example, schema.iPlanet, well in the past. This ends
up in the package with its original timestamp:

[47/5031]mh at salida:~/packages/sudo/build-area/notime $ ls -al
sudo-ldap/usr/share/doc/sudo-ldap/
total 752K
drwxr-xr-x 3 mh mh 4,0K Mär 16 16:13 ./
drwxr-xr-x 3 mh mh 4,0K Mär 16 16:13 ../
-rw-r--r-- 1 mh mh  17K Mär 16 16:13 changelog.Debian.gz
-rw-r--r-- 1 mh mh 594K Mär  3 19:33 changelog.gz
-rw-r--r-- 1 mh mh 2,9K Mär 16 16:13 CONTRIBUTING.md
-rw-r--r-- 1 mh mh 2,6K Mär 16 16:13 CONTRIBUTORS.md.gz
-rw-r--r-- 1 mh mh 7,7K Mär 16 16:13 copyright
drwxr-xr-x 2 mh mh 4,0K Mär 16 16:13 examples/
-rw-r--r-- 1 mh mh 3,0K Mär 16 16:13 HISTORY.md
-rw-r--r-- 1 mh mh 1,1K Mär 16 16:13 NEWS.Debian.gz
-rw-r--r-- 1 mh mh  48K Mär 16 16:13 NEWS.gz
-rw-r--r-- 1 mh mh 1,5K Mär 16 16:13 OPTIONS
-rw-r--r-- 1 mh mh 2,9K Mär 16 16:13 README.LDAP.md.gz
-rw-r--r-- 1 mh mh 3,5K Mär  3 19:29 README.md
-rw-r--r-- 1 mh mh 1,5K Jan 27 22:24 schema.ActiveDirectory.gz
-rw-r--r-- 1 mh mh 2,3K Jan 27 22:24 schema.iPlanet
-rw-r--r-- 1 mh mh 2,7K Jan 27 22:24 schema.olcSudo
-rw-r--r-- 1 mh mh 2,5K Jan 27 22:24 schema.OpenLDAP
-rw-r--r-- 1 mh mh 2,0K Mär 16 16:13 SECURITY.md
-rw-r--r-- 1 mh mh 5,9K Mär 16 16:13 TROUBLESHOOTING.md.gz
-rw-r--r-- 1 mh mh 8,5K Mär 16 16:13 UPGRADE.md.gz

which then causes diffoscope and reprotest to go *KABOOM*.

Am I missing something here? Is there something wrong in the package? Or
is this weird behavior of the toolchain or reprotest? In my
understanding, this is SUPPOSED to happen when a package is built with
system time set in the future.

Explain please. Thank you.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421