[pacman-dev] [PATCH] makepkg: respect $SOURCE_DATE_EPOCH to activate reproducible builds

[Eli Schwartz]

If SOURCE_DATE_EPOCH is set, `touch` all source files before running
build() to fix the modification times. This works around build systems
and compilers that embed the file modification times into the file
contents of release artifacts.

Signed-off-by: Eli Schwartz <eschwartz93 at gmail.com>
---

Guarded by checking for the variable, because this stomps all over
incremental builds.

I prefer looking for SOURCE_DATE_EPOCH in the environment because less
bloat IMHO, but perhaps this would be preferable as a makepkg flag or
makepkg.conf option?

Is there anything else that needs to be done to force reproducible
builds, other than merely setting SOURCE_DATE_EPOCH which should be
harmless as a global thing?

 scripts/makepkg.sh.in | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index 20e9dd7e..fb1d40a9 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -79,15 +79,22 @@ PKGFUNC=0
 PKGVERFUNC=0
 PREPAREFUNC=0
 REPKG=0
+REPRODUCIBLE=0
 RMDEPS=0
 SKIPCHECKSUMS=0
 SKIPPGPCHECK=0
 SIGNPKG=''
 SPLITPKG=0
 SOURCEONLY=0
+
 VERIFYSOURCE=0
 
-export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-$(date +%s)}
+if [[ -n $SOURCE_DATE_EPOCH ]]; then
+	REPRODUCIBLE=1
+else
+	SOURCE_DATE_EPOCH=$(date +%s)
+fi
+export SOURCE_DATE_EPOCH
 
 PACMAN_OPTS=()
 
@@ -475,6 +482,12 @@ run_prepare() {
 }
 
 run_build() {
+	if (( REPRODUCIBLE )); then
+		# We have activated reproducible builds, so unify source times before
+		# building
+		find "$srcdir" -exec touch -h -d @$SOURCE_DATE_EPOCH {} +
+	fi
+
 	run_function_safe "build"
 }
 
-- 
2.13.2