[rb-general] Source code timestamps

HW42 hw42 at ipsumj.de
Fri Dec 2 19:54:00 CET 2016 

Ian Jackson:
> Are the timestamps of source files part of the inputs for a
> reproducible build ?

I think the general answer is: it depends ;P

For example for Debian currently the answer is clearly yes. The source
package is considered "the source" and it is expected that it is
extracted in a way that the contained file timestamps are retained.
There are a number of things which rely on this behavior AFAIK. (If this
is desirable is another question)

> Most of the practical reproducibility checking systems I am aware of
> start by unpacking a tarball, containing (at least most of) the
> source.  Many build systems then transfer the timestamps of files
> which are to be installed unmodified into the staging area.  The
> resulting timestamps are then typically bundled up into the binary
> package.
> 
> The effect of this is that timestamps from that source tarball are
> encoded in the output binary package.
> 
> But source code is not transmitted only through tarballs.  Nowadays
> source code is transmitted via version control systems, much of the
> time.  Version control systems do manage timestamps, of course, but
> often it is not possible to reliably recompute the timestamps of a
> tarball, given only the data in the version control system.
> 
> Also, build systems depend on timestamps to operate correctly.  I
> recently discovered that some packages in Debian do not build if the
> source timestamps of a freshly extracted source package are
> manipulated in reasonble (but unexpected) ways.
> 
> Do we have a way through this swamp ?

I think that a build should not depend on file timestamps and other
similar metadata as far as reasonable possible [0]. I raised similar
concerns when discussing timestamp clamping in [1]. Something like git's
approach (only path and and u+x bit for normal files) seems reasonable.
Realistically we probably need something like "don't set timestamps
earlier than the extraction date" for Make like build systems.

I think there is no consensus about this. For example dpkg (AFAIK)
intentionally clamps timestamps when creating .debs (instead of setting
it to the last ChangeLog date or dropping them completely).


[0]: A file belonging to the wrong user or changing the timestamps
     during a build is for example unreasonable.
[1]: http://lists.reproducible-builds.org/pipermail/rb-general/2016-November/000111.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 854 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20161202/fa560987/attachment.sig>

More information about the rb-general mailing list