Package: ckbuilder Version: 2.3.0+dfsg-2 Severity: normal User: reproducible-bui...@lists.alioth.debian.org Usertags: toolchain timestamps
Hi, While working on the “reproducible builds” effort [1], we have noticed that ckbuilder embeds the build time in two places: copyrigh headers on the built javascript files, and a ".options.timestamp" field in the generated code itself. This behaviour make packages generated by ckbuilder (ie: ckeditor) unreproducible. The attached patch fixes this behaviour honoring the SOURCE_DATE_EPOCH [2] environment variable. [1] https://wiki.debian.org/ReproducibleBuilds [2] https://reproducible-builds.org/specs/source-date-epoch/
diff --git debian/changelog debian/changelog index 98e47d0..4f53bb9 100644 --- debian/changelog +++ debian/changelog @@ -1,3 +1,9 @@ +ckbuilder (2.3.0+dfsg-2.0~reproducible1) UNRELEASED; urgency=medium + + * FIX timestamps in copyright notices + + -- boyska <piutto...@logorroici.org> Mon, 28 Mar 2016 21:23:15 -0400 + ckbuilder (2.3.0+dfsg-2) unstable; urgency=medium * Depends += "libprotobuf-java". diff --git debian/patches/now-respects-source-date-epoch.patch debian/patches/now-respects-source-date-epoch.patch new file mode 100644 index 0000000..6a84658 --- /dev/null +++ debian/patches/now-respects-source-date-epoch.patch @@ -0,0 +1,63 @@ +Description: respect SOURCE_DATE_EPOCH spec + ckbuilder puts a buildtime timestamp both in comments and in other part of + generated js. This patch make it observe SOURCE_DATE_EPOCH, so to allow for + reproducible builds + See https://reproducible-builds.org/specs/source-date-epoch/ + . + ckbuilder (2.3.0+dfsg-2.0~reproducible1) UNRELEASED; urgency=medium + . + * FIX timestamps in copyright notices +Author: boyska <piutto...@logorroici.org> + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: <vendor|upstream|other>, <url of original patch> +Bug: <url in upstream bugtracker> +Bug-Debian: https://bugs.debian.org/<bugnumber> +Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> +Forwarded: <no|not-needed|url proving that it has been forwarded> +Reviewed-By: <name and email of someone who approved the patch> +Last-Update: <YYYY-MM-DD> + +--- a/src/ckbuilder.js ++++ b/src/ckbuilder.js +@@ -35,7 +35,11 @@ + } catch ( e ) { + isMinified = false; + } +- var now = new Date(); ++ if(System.env.get('SOURCE_DATE_EPOCH') !== null) { ++ var now = new Date(parseInt(System.getenv("SOURCE_DATE_EPOCH"), 10) * 1000); ++ } else { ++ var now = new Date(); ++ } + var timestamp = Integer.toString( now.getUTCFullYear() % 1000, 36 ) + Integer.toString( now.getUTCMonth(), 36 ) + Integer.toString( now.getUTCDate(), 36 ) + Integer.toString( now.getUTCHours(), 36 ); + timestamp = timestamp.toUpperCase(); + +--- a/src/lib/utils.js ++++ b/src/lib/utils.js +@@ -30,8 +30,12 @@ + * @static + */ + copyright: function( eol ) { +- var copyright, +- date = new Date(); ++ var copyright; ++ if(System.env.get('SOURCE_DATE_EPOCH') !== null) { ++ var date = new Date(parseInt(System.getenv("SOURCE_DATE_EPOCH"), 10) * 1000); ++ } else { ++ var date = new Date(); ++ } + + if ( CKBuilder.options.commercial ) + copyright = "/*" + eol + "This software is covered by CKEditor Commercial License. Usage without proper license is prohibited." + eol + "Copyright (c) 2003-" + date.getFullYear() + ", CKSource - Frederico Knabben. All rights reserved." + eol + "*/" + eol; +@@ -221,4 +225,4 @@ + return result; + } + }; +-}() ); +\ No newline at end of file ++}() ); diff --git debian/patches/series debian/patches/series index 11053e4..549e272 100644 --- debian/patches/series +++ debian/patches/series @@ -1,3 +1,4 @@ make.patch notar.patch unmerge.patch +now-respects-source-date-epoch.patch
