Source: apg
Severity: normal
Tags: upstream
Dear Maintainer,
During recent rebuilds[1][2] of src:apg in build environments where the build user had a non-zero group-id, the resulting apg_2.2.3.dfsg.1-7_arm64.deb files were not reproducible[3], due to the group-id and groupname appearing in the php.tar.gz file.
The fact that the package currently requires root (or fakeroot) to build
seems to make it more difficult for automated tests[4] to uncover the group-id variance -- because those test builds interpret the requirement by using either a genuine root account, or fakeroot, during the test build, and this obscures the problem.
Fixing zero numeric UID/GID permissions on the php.tar.gz file might be a straightforward fix for the reproducibility bug -- but before doing that, I'd suggest removing the Rules-Requires-Root clause from the control file. This would allow the problem to be detected by automated tests, enabling those same tests to verify a fix.
Regards,
James
[1] -
https://reproduce.debian.net/amd64/api/v0/builds/250671/diffoscope
[2] -
https://reproduce.debian.net/arm64/api/v0/builds/159768/diffoscope
[3] -
https://reproducible-builds.org
[4] -
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/apg.html
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)