PDF files generated with pdftex and pdflatex will contain CreationDate and ModDate set to the current date and time. The PDF ID is also generated using the current time, path and file name.

Known affected packages

Detection

Example debbindiff output

Lintian will probably never check this, because extracting the timestamp from a PDF requires external dependencies, and knowing the build date requires the Debian changelog, which may be missing if for example /usr/share/doc/package links to another package.

Work-around

The PDF produced by the following Makefile snippet does not seem to depend on current date, time zone or absolute path. The ID generation emulates PDFTeX's behaviour, but uses the date of the last Debian changelog entry, and ignores the unpredictible current absolute path. The file name, however, is mentioned by du.

   1 DEB_DATE := $(shell dpkg-parsechangelog -S date)
   2 PDF_DATE := $(shell date -ud '$(DEB_DATE)' +D:%Y%m%d%H%M%SZ)
   3 tmp.pdf: tmp.tex
   4         pdflatex '\pdfinfo{/CreationDate($(PDF_DATE))/ModDate($(PDF_DATE))}\input{$<}'
   5         MD5=`(echo $(DEB_DATE) && du -b $@) | md5sum | cut -c -32` && \
   6         sed -i "s|^/ID \\[\\(<[0-9A-F]\\{32\\}>\\) \\1]$$|/ID [<$$MD5> <$$MD5>]|" $@

The PDF ID field is optional, and may safely be removed completely by replacing the two last lines with

   1         grep -av '^/ID \[\(<[0-9A-F]\{32\}>\) \1]$$' $@ > $@.without_pdf_id
   2         mv -f $@.without_pdf_id $@

Solution

A patch has been sent to pdftex upstream which expands on a previous patch, seeprevious thread. The new patch honours the implementation of the environment variable SOURCE_DATE_EPOCH. This was proposed as a way to produce deterministic timestamps, see timestamps proposal.

Another option for Debian would be to remove the field completely with dh_installdocs or similar, or at least set its content consistently (package build date, installation directory, and so on). Current situation may cause PDF files indirectly depending on the architecture to be installed into /usr/share, breaking Multiarch:same packages.

apparmor uses the file modification time instead of the current time. See Makefile and LaTeX source. But this does not solve the PDF ID.