Tools respecting SOURCE_DATE_EPOCH (was Re: Reproducible XFS Filesystems Builds for VMs)
Bernhard M. Wiedemann
bernhardout at lsmod.de
Sun Apr 13 18:11:08 UTC 2025
On 13/04/2025 18.51, Vagrant Cascadian wrote:
>> Or would you simply disagree that ending up with a predictable identical
>> man page timestamp across distributions is a worthy goal? I don't think
>> that is a goal many people seem to care about, so it is fine to have
>> disagreement here.
> I think it might be worthy ideal... but perhaps not worth the effort to
> handle all the possible permutations? Especially in the light of an
> ideal of not shipping tarballs with pregenerated contents...
>
> I mean, if it is easy, sure, go for it, but in the grander scheme of
> things, I am much more concerned about consistency within a distro than
> across distros... with built artifacts.
Indeed.
The reproducible builds we are concerned here, assume identical source,
build tools and other inputs.
If Debian comes with a different gcc and help2man version than openSUSE,
there will be no guarantee of build output matching cross-distro.
It is indeed enough for a binary to be verifiable within the distro to
ensure no corruption happened during a build.
(The exception would be a rare trusting-trust attack that can be
mitigated with diverse-double-compilation or bootstrappable builds, but
that is a different (related) project.)
Ciao
Bernhard M.
More information about the rb-general
mailing list