Debian and SOURCE_DATE_EPOCH=0
David A. Wheeler
dwheeler at dwheeler.com
Fri Feb 20 21:31:22 UTC 2026
> On Feb 20, 2026, at 12:37 PM, Vagrant Cascadian <vagrant at reproducible-builds.org> wrote:
>
> In my opinion, SOURCE_DATE_EPOCH should really be a timestamp of last
> resort, the preferred thing is to not include build timestamps at all!
It's easier to reproduce data if there are no timestamps embedded in it, sure.
However, receivers generally don't perceive these timestamps as "build" timestamps.
They aren't marked that way. They are simply "timestamps", and are required parts
of many formats (zip and tar for example). The real goal is to make them reproducible.
That can be done with:
* Meaningless reproducible value (like "1")
* Meaningful reproducible value (e.g., datetime of last git commit in source)
I personally think that providing end-users with meaningful data, when we can,
is helpful. Users often don't get enough meaningful data!
But this is a personal preference that different people can conclude differently
(even the same person for different circumstances!). It's yet another trade-off.
What matters, in the end, is reproducibility so we can eliminate
a variety of attacks.
--- David A. Wheeler
More information about the rb-general
mailing list