[jira] [Commented] (FOP-2854) CreationDate in PDF metadata breaks reproducible builds

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (FOP-2854) CreationDate in PDF metadata breaks reproducible builds

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/FOP-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16883009#comment-16883009 ]

Stefan Knorr commented on FOP-2854:

Sorry for being late to party here but I'd like to ask you to reopen this.

Not sure if this issue was understood correctly. Comments here make me think it was not.

The point of "reproducible builds" is not to allow manual comparison between two versions of a document.

The point is that someone else can rebuild e.g. all packages of a Linux distribution (Debian in Filippo's case and openSUSE in mine) and verify that all packages have the same SHA hash sum as the packages from the original build server.

Afterward, you should be able validate that neither the vendor nor a third party have introduced additional code/modifications beyond the things that are plainly visible as the document source. This might at first glance seem irrelevant when it comes to PDF building but since many software packages include some kind of documentation, one changed document date will change the SHA sum of the entire package.

Therefore please reconsider this bug and introduce e.g. an option that will set that date to 1970-01-01 00:00 (this date being the start of Unix period time).

> CreationDate in PDF metadata breaks reproducible builds
> -------------------------------------------------------
>                 Key: FOP-2854
>                 URL: https://issues.apache.org/jira/browse/FOP-2854
>             Project: FOP
>          Issue Type: Improvement
>          Components: renderer/pdf
>    Affects Versions: 2.3
>         Environment: Debian GNU/Linux
>            Reporter: Filippo Rusconi
>            Priority: Major
> Greetings,
> I would like to report that the CreationDate value that is set in the PDF file changes at each run. This is problematic because that makes it impossible to run FOP in the context of reproducible builds (see https://wiki.debian.org/ReproducibleBuilds).
> Would it be possible to create an option to set that date value manually or some equivalent solution to this problem ?
> Thank you so much for your work on FOP !
> Regards,
> Filippo

This message was sent by Atlassian JIRA