Source: apg Severity: normal Tags: upstream Dear Maintainer,
During recent rebuilds[1][2] of src:apg in build environments where the build user had a non-zero group-id, the resulting apg_2.2.3.dfsg.1-7_arm64.deb files were not reproducible[3], due to the group-id and groupname appearing in the php.tar.gz file. The fact that the package currently requires root (or fakeroot) to build seems to make it more difficult for automated tests[4] to uncover the group-id variance -- because those test builds interpret the requirement by using either a genuine root account, or fakeroot, during the test build, and this obscures the problem. Fixing zero numeric UID/GID permissions on the php.tar.gz file might be a straightforward fix for the reproducibility bug -- but before doing that, I'd suggest removing the Rules-Requires-Root clause from the control file. This would allow the problem to be detected by automated tests, enabling those same tests to verify a fix. Regards, James [1] - https://reproduce.debian.net/amd64/api/v0/builds/250671/diffoscope [2] - https://reproduce.debian.net/arm64/api/v0/builds/159768/diffoscope [3] - https://reproducible-builds.org [4] - https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/apg.html
