xmlgraphics-fop-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Knorr (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FOP-2854) CreationDate in PDF metadata breaks reproducible builds
Date Thu, 11 Jul 2019 14:30:00 GMT

    [ https://issues.apache.org/jira/browse/FOP-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16883009#comment-16883009

Stefan Knorr commented on FOP-2854:

Sorry for being late to party here but I'd like to ask you to reopen this.

Not sure if this issue was understood correctly. Comments here make me think it was not.

The point of "reproducible builds" is not to allow manual comparison between two versions
of a document.

The point is that someone else can rebuild e.g. all packages of a Linux distribution (Debian
in Filippo's case and openSUSE in mine) and verify that all packages have the same SHA hash
sum as the packages from the original build server.

Afterward, you should be able validate that neither the vendor nor a third party have introduced
additional code/modifications beyond the things that are plainly visible as the document source.
This might at first glance seem irrelevant when it comes to PDF building but since many software
packages include some kind of documentation, one changed document date will change the SHA
sum of the entire package.

Therefore please reconsider this bug and introduce e.g. an option that will set that date
to 1970-01-01 00:00 (this date being the start of Unix period time).

> CreationDate in PDF metadata breaks reproducible builds
> -------------------------------------------------------
>                 Key: FOP-2854
>                 URL: https://issues.apache.org/jira/browse/FOP-2854
>             Project: FOP
>          Issue Type: Improvement
>          Components: renderer/pdf
>    Affects Versions: 2.3
>         Environment: Debian GNU/Linux
>            Reporter: Filippo Rusconi
>            Priority: Major
> Greetings,
> I would like to report that the CreationDate value that is set in the PDF file changes
at each run. This is problematic because that makes it impossible to run FOP in the context
of reproducible builds (see https://wiki.debian.org/ReproducibleBuilds).
> Would it be possible to create an option to set that date value manually or some equivalent
solution to this problem ?
> Thank you so much for your work on FOP !
> Regards,
> Filippo

This message was sent by Atlassian JIRA

View raw message