[rb-general] Source code timestamps

Ian Jackson ijackson at chiark.greenend.org.uk
Fri Dec 2 16:00:31 CET 2016

Are the timestamps of source files part of the inputs for a
reproducible build ?

Most of the practical reproducibility checking systems I am aware of
start by unpacking a tarball, containing (at least most of) the
source.  Many build systems then transfer the timestamps of files
which are to be installed unmodified into the staging area.  The
resulting timestamps are then typically bundled up into the binary

The effect of this is that timestamps from that source tarball are
encoded in the output binary package.

But source code is not transmitted only through tarballs.  Nowadays
source code is transmitted via version control systems, much of the
time.  Version control systems do manage timestamps, of course, but
often it is not possible to reliably recompute the timestamps of a
tarball, given only the data in the version control system.

Also, build systems depend on timestamps to operate correctly.  I
recently discovered that some packages in Debian do not build if the
source timestamps of a freshly extracted source package are
manipulated in reasonble (but unexpected) ways.

Do we have a way through this swamp ?


Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

More information about the rb-general mailing list