Re: F38 proposal: Reproducible builds: Clamp build mtimes to $SOURCE_DATE_EPOCH (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Nov 11, 2022 at 2:03 PM Florian Weimer <fweimer@xxxxxxxxxx> wrote:
>
> * Alexander Sosedkin:
>
> > On Fri, Nov 11, 2022 at 11:53 AM Petr Pisar <ppisar@xxxxxxxxxx> wrote:
> >> An RPM package itself carry a build time in its RPM header.
> >> Are we also going to fake this time in the name of
> >> reproducibility?
> >
> > My opinion: yes, please do (%use_source_date_epoch_as_buildtime).
> > And fake the builder hostname (%_buildhost).
> > And enable back --enable-deterministic-archives in binutils:
> > (https://bugzilla.redhat.com/show_bug.cgi?id=1195883).
> > And do whatever else is necessary to stop shipping binary packages
> > that users can't reproduce bit-to-bit.
>
> The downside of doing this is that it's no longer possible to check
> whether a build happened against a buildroot with a particular fix in
> it.  The time-based check was never 100% reliable, but it could be used
> as a good indicator in the past.

No, no, false dichotomy alert.
This is not a case where reproducibility rules out auditability.

Not only build system (koji) can track exact versions of builddeps
(and if it doesn't, it really should, regardless of reproducibility),
I'm not against including builddep versions into the artifacts,
in any form, as long as it's done in a reproducible manner.
E.g., I have no problem with NixOS having them hashed
and used as the installation prefix, not at all.

In RPM world, I've even entertained an idea of having a subpackage
for auditability not unlike how we have debuginfo,
since rebuilding a package reproducibly requires builddep pinning.
But if that's avoidable, I'd rather just not mix artifacts with meta.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux