On 17/04/17 23:34, Andrew Gregory wrote:
On 04/17/17 at 08:41pm, Allan McRae wrote:
This patch introduces the SOURCE_DATE_EPOCH environmental variable. All files in a package are adjusted to have their modification dates set to the value of SOURCE_DATE_EPOCH, which defaults to "date +%s".
Setting this variable allows a package that is built twice in the same environment to be (potentially) reproducible in that the checksum of the generated package file will be the same.
Signed-off-by: Allan McRae <allan@archlinux.org>
I'm of the opinion that makepkg is the wrong place to work on reproducible builds. We could probably take care of the low-hanging fruit directly in makepkg, but a number of packages are going to require more find-grained control over the environment then I think we should be putting in makepkg. If you look at `perl -V`, for instance, it embeds the output of `uname -a` and a timestamp directly in the executable. I suspect that any effort we put into reproducible builds with makepkg would eventually have to be duplicated with a more powerful wrapper script in order to handle packages like perl that record more of their environment than we should be manipulating in makepkg.
I agree that makepkg is not the place for much of this. However, the SOURCE_DATE_EPOCH variable is a standard and we require makepkg to understand it and make a few other minor changes for any tool to have a chance of recreating a package from its PKGBUILD and .BUILDINFO file. I am not looking to extend the changes beyond this initial patchset. Allan