<!DOCTYPE html><html><head><title></title><style type="text/css">p.MsoNormal,p.MsoNoSpacing{margin:0}</style></head><body><div>On Wed, Nov 13, 2024, at 00:19, Vagrant Cascadian wrote:<br></div><blockquote type="cite" id="qt" style=""><div>On 2024-11-12, John Gilmore wrote:<br></div><div>> Roland Clobus <<a href="mailto:rclobus@rclobus.nl">rclobus@rclobus.nl</a>> wrote:<br></div><div>>> It should be noted that regular user _will not_ and _should not_ set<br></div><div>>> SOURCE_DATE_EPOCH [6]. That environment variable it typically used for<br></div><div>>> rebuilds.<br></div><div>><br></div><div>> Certainly many programmers will set the variable, particularly during<br></div><div>> development or debugging sessions. And they will and should expect the<br></div><div>> ordinary programs that they run in that shell to keep working -- whether<br></div><div>> they are written in Java or not.<br></div><div><br></div><div>What about C? It has been the default behavior in GCC and CLANG for<br></div><div>years. Numerous other programming environments as well.<br></div><div><div>The vast majority of reproducible builds fixes are from various<br></div><div>toolchains respecting SOURCE_DATE_EPOCH.<br></div></div></blockquote><div><br></div><div>We're not talking about the Java compiler here, but about the Java runtime environment - so the equivalent would be to recommend the libc date and time functions to honor SOURCE_DATE_EPOCH. While there's something to be said for that as well, it's a bit more extreme.<br></div><div><br></div><div>ca-certificates-java has some Debian-specific Java code that uses the JDK KeyStore APIs to create a keystore (<a href="https://sources.debian.org/src/ca-certificates-java/20240118/">https://sources.debian.org/src/ca-certificates-java/20240118/</a>). As Roland mentions above, the JDK JavaKeyStore implementation uses 'new Date()' to put the 'current' date into the 'date' field of the KeyEntry ('the creation date of this entry'). The KeyStore APIs don't seem to provide a way to influence that value, and it ends up in the end result.<br></div><div><br></div><div>This means AFAICT adding a flag to ca-certificates-java like John suggests as an alternative is not really possible without changes to the KeyStore API in the JRE. Perhaps a nice middle ground would be for the JavaKeyStore implementation to honor SOURCE_DATE_EPOCH for the date of the key entries? <a href="https://reproducible-builds.org/docs/source-date-epoch/#java--gradle">https://reproducible-builds.org/docs/source-date-epoch/#java--gradle</a><br></div><div><br></div><div><br></div><div>Kind regards,<br></div><div><br></div><div id="sig124436424"><div class="signature">-- <br></div><div class="signature">Arnout Engelen<br></div><div class="signature">Engelen Open Source<br></div><div class="signature"><a href="https://engelen.eu">https://engelen.eu</a><br></div></div><div><br></div></body></html>