[rb-general] Source code timestamps
hw42 at ipsumj.de
Fri Dec 2 19:54:00 CET 2016
> Are the timestamps of source files part of the inputs for a
> reproducible build ?
I think the general answer is: it depends ;P
For example for Debian currently the answer is clearly yes. The source
package is considered "the source" and it is expected that it is
extracted in a way that the contained file timestamps are retained.
There are a number of things which rely on this behavior AFAIK. (If this
is desirable is another question)
> Most of the practical reproducibility checking systems I am aware of
> start by unpacking a tarball, containing (at least most of) the
> source. Many build systems then transfer the timestamps of files
> which are to be installed unmodified into the staging area. The
> resulting timestamps are then typically bundled up into the binary
> The effect of this is that timestamps from that source tarball are
> encoded in the output binary package.
> But source code is not transmitted only through tarballs. Nowadays
> source code is transmitted via version control systems, much of the
> time. Version control systems do manage timestamps, of course, but
> often it is not possible to reliably recompute the timestamps of a
> tarball, given only the data in the version control system.
> Also, build systems depend on timestamps to operate correctly. I
> recently discovered that some packages in Debian do not build if the
> source timestamps of a freshly extracted source package are
> manipulated in reasonble (but unexpected) ways.
> Do we have a way through this swamp ?
I think that a build should not depend on file timestamps and other
similar metadata as far as reasonable possible . I raised similar
concerns when discussing timestamp clamping in . Something like git's
approach (only path and and u+x bit for normal files) seems reasonable.
Realistically we probably need something like "don't set timestamps
earlier than the extraction date" for Make like build systems.
I think there is no consensus about this. For example dpkg (AFAIK)
intentionally clamps timestamps when creating .debs (instead of setting
it to the last ChangeLog date or dropping them completely).
: A file belonging to the wrong user or changing the timestamps
during a build is for example unreasonable.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 854 bytes
Desc: OpenPGP digital signature
More information about the rb-general