-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to create reproducable builds #117
Comments
SOURCE_DATE_EPOCH support is now implemented but in a slightly different way from rpmbuild. If the environment variable is set and parses correctly, we just use it, whereas rpmbuild has a separate flag for enabling it that you have to configure. We don't currently have a way to clamp file mtimes, nor use the most recent changelog timestamp as the build timestamp. Maybe it makes sense to put all of this behind one "reproducable" option on Open for discussion. |
I think the default should be to build reproducible rpms, the user then can opt in to provide i.e. the current timestamp or file timestamps or buildhost they desire. This would also enable the option to shed a few dependencies for i.e. the |
I'm told that in practice those fields are quite useful for debugging purposes, so it's actually useful to opt-in to reproducibility rather than the other way around. But I don't build RPMs myself frequently, so I can't validate that with personal experience. |
However, I can presume that is with regards to |
If you want to take this issue and 5cfc3be#diff-b82882f602be2cf2d09fd6546c2097235d9417da83223e9516b8eb783c6257ffR233 and work on it, then that is fine with me. |
@drahnr How do you think
ought to be handled, if at all. Basically you could rewrite the same bit-identical file (if this were part of some build pipeline) which would still end up changing the resulting package. The mtime is derived from the file on our end, so it's not possible to work around. |
I'm going to close this on the basis of reproducible builds being possible (the title is satisfied), although we should continue to improve the ergonomics. |
We need to have the same knobs that rpmbuild has to enable reproducible package builds. Timestamps and various other things get in the way.
As far as I know the needed features are (equivalents to):
SOURCE_DATE_EPOCH is referring to https://reproducible-builds.org/docs/source-date-epoch/
The text was updated successfully, but these errors were encountered: