Make the build reproducible #2646
Conversation
Whilst working on the Reproducible Builds effort [0], we noticed that vue-router could not be built reproducibly. This is due to it embedding the current build year into the file headers. This has been replaced with using SOURCE_DATE_EPOCH [1] where available. This was originally filed in Debian as #924378 [2]. [0] https://reproducible-builds.org/ [1] https://reproducible-builds.org/specs/source-date-epoch/ [2] https://bugs.debian.org/924378
|
hey, I don't get this, in what situation current code isn't working? |
It builds differently depending on which year you happen to be building |
|
yeah, that's the point, to write current year. In what situation is |
|
It's not that it "doesn't work", it is that it generates a different result depending on the year. This makes the build non-reproducible which is important for a variety of reasons - see the links in my original post! :) |
|
I appreciate your concern but you are still not explaining things to me... |
|
I am not going into great depth here, but I would not want to bore you by explaining things here that you might have read elsewhere already… for example https://reproducible-builds.org/docs/buy-in/ etc. |
|
It's the first time I've heard about reproducible builds and I have read just a bit with the links you sent me but I really don't see what attack this is preventing. I will rather see the opposite as it is using an env variable that doesn't seem to be standard in every unix os (it doesn't exist in osx). Maybe there is a problem for other languages or libraries but I don't see what is being prevented here, I just see the code becoming more complicated for no benefit. Don't worry about copy pasting things that I may know, I won't feel bothered or anything, I get your intentions seem good |
|
Unfortunately my time is really stretched so you can imagine that I cannot spend 1 hour on each pull request explaining the background and justify the reasons behind reproducible builds. Perhaps you could spend a few moments reviewing some slides/presentations on our Resources page. Again, really sorry I cannot provide a custom justification to every single project... |
|
It's okay, I understand |
Cool; fancy applying the patch in that case? :) |
Whilst working on the Reproducible Builds effort, we noticed that vue-router could not be built reproducibly.
This is due to it embedding the current build year into the file headers. This has been replaced with using
SOURCE_DATE_EPOCHwhere available. This was originally filed in Debian as #924378.