Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make the build reproducible #19

Conversation

@lamby
Copy link

lamby commented Dec 7, 2019

Whilst working on the Reproducible Builds effort we noticed that infernal could not be built reproducibly.

This is because it embeds the current build timestamp and the absolute build directory from which it was built into generated files. This patch checks that if SOURCE_DATE_EPOCH is set and, if so, omits these fields.

(This was originally filed in Debian as #946315)

Whilst working on the Reproducible Builds effort [0] we noticed that
infernal could not be built reproducibly.

This is because it embeds the current build timestamp and the absolute
build directory from which it was built into generated files. This
patch checks that if SOURCE_DATE_EPOCH [1] is set and, if so, omits
these fields.

This was originally filed in Debian as #946315 [2].

 [0] https://reproducible-builds.org/
 [1] https://reproducible-builds.org/specs/source-date-epoch/
 [2] https://bugs.debian.org/946315

Signed-off-by: Chris Lamb <lamby@debian.org>
@cryptogenomicon

This comment has been minimized.

Copy link
Member

cryptogenomicon commented Dec 7, 2019

I think you may have misunderstood the code. The code you have modified is not embedding a timestamp or build directory into the compiled binaries. It is recording the current time and working directory of an analysis result, in output result files, at runtime, and we believe this is an important feature. I'm going to reject the pull request for this reason.

@lamby

This comment has been minimized.

Copy link
Author

lamby commented Dec 7, 2019

The code you have modified is not embedding a timestamp or build directory into the compiled binaries.

… but it is embedding them into generated files and if these files are built and then shipped (like they are in Debian) then it results in the package being unreproducible. Also, do note that this does not disable this recording in the usual case, only when SOURCE_DATE_EPOCH is enabled which can be used as a signal for "I want a reproducible build". :)

@cryptogenomicon

This comment has been minimized.

Copy link
Member

cryptogenomicon commented Dec 7, 2019

Sounds like your definition of "reproducible" is at odds with ours. We're recording runtime information to assist in reproducibility of analyses.

@bmwiedemann

This comment has been minimized.

Copy link

bmwiedemann commented Dec 14, 2019

It is worth noting, that SOURCE_DATE_EPOCH is only set during package build, so runtime behaviour remains unchanged by this patch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.