On 07/18/2018 06:26 PM, Allan McRae wrote:
Then you need to include all relevant environmental variables too. And given we don't know which are relevant, we need to include all. Which had privacy implications.
Assumptions need to be made for reproducibilty. I'm happy with the package being built in a clean chroot as that assumption.
I'm okay with makepkg only recording the information it is personally responsible for setting in the first place. :) That's what my patch does. If people are creating packages in such a way that the environment outside of makepkg affects the result, then there's really nothing that can handle that -- a thousand different tools have a thousand different boutique configuration files, for example. As long as both packages are built in, and record, some sort of environment where any input to the build process comes exclusively from: - the list of packages installed on the system - the PKGBUILD - makepkg.conf - the public API documented in makepkg(1) -- essentially, BUILDDIR and PKGEXT I will be happy, since makepkg has "done its duty" as far as reproducibility goes. The best way to ensure this is to build packages using a clean user account, but I don't think devtools should be implied, nor should makepkg itself consider reproducible build support to be conditional on devtools/makechrootpkg. -- Eli Schwartz Bug Wrangler and Trusted User