[pacman-dev] [PATCH] makepkg: introduce SOURCE_DATE_EPOCH

Levente Polyak anthraxx at archlinux.org
Mon Apr 17 13:53:22 UTC 2017


On 04/17/2017 03:34 PM, Andrew Gregory wrote:
> On 04/17/17 at 08:41pm, Allan McRae wrote:
>> This patch introduces the SOURCE_DATE_EPOCH environmental variable.  All files
>> in a package are adjusted to have their modification dates set to the value
>> of SOURCE_DATE_EPOCH, which defaults to "date +%s".
>>
>> Setting this variable allows a package that is built twice in the same
>> environment to be (potentially) reproducible in that the checksum of the
>> generated package file will be the same.
>>
>> Signed-off-by: Allan McRae <allan at archlinux.org>
> 
> I'm of the opinion that makepkg is the wrong place to work on
> reproducible builds.  We could probably take care of the low-hanging
> fruit directly in makepkg, but a number of packages are going to
> require more find-grained control over the environment then I think we
> should be putting in makepkg.  If you look at `perl -V`, for instance,
> it embeds the output of `uname -a` and a timestamp directly in the
> executable.  I suspect that any effort we put into reproducible builds
> with makepkg would eventually have to be duplicated with a more
> powerful wrapper script in order to handle packages like perl that
> record more of their environment than we should be manipulating in
> makepkg.
> 
> apg
> 

Makepkg is the place that we control and need to work on to make
packages created by makepkg reproducible. Currently they are not exactly
because of the reasons these patches address and there is literally no
way to get reproducible package artifacts without these patches.
Especially the deterministic way to pass in SOURCE_DATE_EPOCH is a
requirement for cases you mentioned and downstream projects using dates
in any produced artifacts should implement SOURCE_DATE_EPOCH. An
incredible high amount of projects already do so and more and more adopt
as this is getting infacto a standard (actually it already is).
No complex wrapper scripts should be needed at any place to achieve
reproducibility.

cheers,
Levente

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/pacman-dev/attachments/20170417/c07b0a34/attachment.asc>


More information about the pacman-dev mailing list