On Fri, Nov 11, 2022 at 11:53 AM Petr Pisar <ppisar@xxxxxxxxxx> wrote: > > V Thu, Nov 10, 2022 at 03:23:49PM -0500, Ben Cotton napsal(a): > > https://fedoraproject.org/wiki/Changes/ReproducibleBuildsClampMtimes > > > > == Summary == > > > > The `%clamp_mtime_to_source_date_epoch` RPM macro will be set to `1`. > > When an RPM package is built, mtimes of packaged files will be clamped > > to `$SOURCE_DATE_EPOCH` > > Clamp as capping maximal mtime, or resetting mtime for all files? I.e. If > I had a source file dated 1970-01-01 and installed it with "install -p", will > the packaged file retain that 1970-01-01 date, or will it be set to the date > of the latest changlog, e.g. 2022-11-11? In other words, will all files in > a package have the same mtime, or there won't be an mtime newer than the > changelog entry? Second. Original message: >> Clamping means that all files which would otherwise have a >> modification datetime higher than `$SOURCE_DATE_EPOCH` will have the >> modification datetime changed to `$SOURCE_DATE_EPOCH`; files with >> mtime lower (or equal) to `$SOURCE_DATE_EPOCH` will retain the >> original mtimes. > > which is already set to the date of the latest `%changelog` entry. > > What's a changelog entry date in case of rpmautospec changelog? Is it > a git AuthorDate or CommitDate? > > > As a result, more RPM packages will be reproducible: > > Where will this reproducibility stop? Ideally, when it's achieved, and 100% of Fedora will be reproducible under reprotest =P > An RPM package itself carry a build time in its RPM header. > Are we also going to fake this time in the name of > reproducibility? My opinion: yes, please do (%use_source_date_epoch_as_buildtime). And fake the builder hostname (%_buildhost). And enable back --enable-deterministic-archives in binutils: (https://bugzilla.redhat.com/show_bug.cgi?id=1195883). And do whatever else is necessary to stop shipping binary packages that users can't reproduce bit-to-bit. > What value these faked timestamps have? None. > E.g. a compiled file is a function not only of its source, but also of the compiler. Nods in NixOS. > This proposed change removes > the compiler part from the timestamp. Will timestamps like this be helpful? > Wouldn't be easier to admit that timesamps are nonsense and simply eradicate > all of them stamps from various data formats rather than trying to fake them? > Simply changing rpmbuild to set timestamp to 0 for all contained files, or > removing the time attribute from the RPM format completely? Would be wonderful. Mixing metadata with data has always been a mistake. Reproducibility is at stakes with auditability, and the second must be driven off or given up on. The metainformation of which host has built the artifact and when has no place within the artifact itself. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue