Then you need to include all relevant environmental variables too. And given we don't know which are relevant, we need to include all.
I'd assume that the variables defined on the makepkg.conf should be the only relevant ones, otherwise the package is not reproducible ;) On the other hand, I do see a point in claiming that /etc/makepkg.conf is part of the toolchain, and as such it should be used to bootstrap a reproducible env. However, I do think that the intent of the buildinfo are well documented in their docs[1](emphasis mine): Absolutely necessary “human intent” embedded certificates if needed (rpm + tor windows) source pkg. version source pkg hash (contents) source package name architecture (target) (GNU host) build instruction (deb-implicit) __USE flags (gentoo). debian: build profile. build time configuration**__ build-depends. Abstract description of some tool that (fully) defines Build-Depends. Source Name/version Build-depends. Source packages’ HASH!!! I can see how Eli's patch can help beyond achieving the devtools environment and simplify any overlay tooling around it.
Which had privacy implications.
If you mean recording *all* the variables then I agree, but I don't think anyone is proposing this.
Assumptions need to be made for reproducibilty.
Likewise, but I believe that assumptions can be discussed to reach a consensus on what these assumptions should be. Thanks, -Santiago. [1] https://reproducible-builds.org/events/athens2015/buildinfo-content/