Zip files record mtimes of packed files. When files are generated during the build, it will prevent reproducibility.

Known affected packages

Detection

Example debbindiff output

Work-around

strip-nondeterminism will normalize Zip files.

Solution

Use find, xargs, and touch to adjust file mtimes before zip is run. Example:

BUILD_DATE := $(shell dpkg-parsechangelog --show-field=Date)
[…]
       find '$(DIR)' -newermt '$(BUILD_DATE)' -print0 | \
               xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
       […] zip […]

You may also need to use zip -o/zip --latest-time to set the last-modification timestamp of the zip file itself to its most recently modified member, use zip -X/zip --no-extra to omit extended timestamps from the zip file, and/or export TZ=UTC to force zip to use UTC for the local-time MS-DOS timestamps in the zip file.

Note that the -S (or --show-field) option is not working well with Ubuntu 14.04 (aka Trusty). So if you plan a backport of your package for this distribution, you can instead of the -S option, use this to extract the date field:

dpkg-parsechangelog | grep Date: | cut -d' ' -f2