[pacman-dev] [PATCH v3] makepkg: respect $SOURCE_DATE_EPOCH to activate reproducible builds

Allan McRae allan at archlinux.org
Wed Sep 13 02:53:26 UTC 2017 

On 24/08/17 07:12, Eli Schwartz wrote:
> If SOURCE_DATE_EPOCH is set, `touch` all source files before running
> build() to fix the modification times. This works around build systems
> and compilers that embed the file modification times into the file
> contents of release artifacts.
> 
> Signed-off-by: Eli Schwartz <eschwartz at archlinux.org>
> ---
> 
> v3: add makepkg(8) documentation
> 
>  doc/makepkg.8.txt     | 16 ++++++++++++++++
>  scripts/makepkg.sh.in | 14 +++++++++++++-
>  2 files changed, 29 insertions(+), 1 deletion(-)
> 
> diff --git a/doc/makepkg.8.txt b/doc/makepkg.8.txt
> index 2dff1b19..4258e6bd 100644
> --- a/doc/makepkg.8.txt
> +++ b/doc/makepkg.8.txt
> @@ -206,6 +206,7 @@ Options
>  *\--printsrcinfo*::
>  	Generate and print the SRCINFO file to stdout.
>  
> +
>  Additional Features
>  -------------------
>  makepkg supports building development versions of packages without having to
> @@ -214,6 +215,19 @@ separate utility 'versionpkg'. See linkman:PKGBUILD[5] for details on how to
>  set up a development PKGBUILD.
>  
>  
> +Reproducibility
> +---------------
> +makepkg is designed to be compatible with
> +link:https://reproducible-builds.org/docs/[Reproducible Builds]. If the
> +**SOURCE_DATE_EPOCH** environment variable is set, it will be exported to
> +subprocesses, and source and package file modification times and package
> +metadata will be unified based on the timestamp specified.
> +
> +If the **SOURCE_DATE_EPOCH** environment variable is not set, makepkg will use
> +its own start date for internal use, but is not responsible for ensuring the
> +package files themselves are built reproducibly.
> +

I don't like the phrasing there.  How about :

If the **SOURCE_DATE_EPOCH** environment variable is not set, makepkg
will use its own start date for internal use, but will not unify source
file timestamps before building.

> +
>  Environment Variables
>  ---------------------
>  **PACMAN**::
> @@ -265,6 +279,8 @@ Environment Variables
>  	Specify a key to use when signing packages, overriding the GPGKEY setting
>  	in linkman:makepkg.conf[5]
>  
> +**SOURCE_DATE_EPOCH=**"<date>"::
> +	Used for link:https://reproducible-builds.org/docs/[Reproducible Builds].
>  
>  Configuration
>  -------------
> diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
> index 20e9dd7e..77d39ca5 100644
> --- a/scripts/makepkg.sh.in
> +++ b/scripts/makepkg.sh.in
> @@ -79,6 +79,7 @@ PKGFUNC=0
>  PKGVERFUNC=0
>  PREPAREFUNC=0
>  REPKG=0
> +REPRODUCIBLE=0
>  RMDEPS=0
>  SKIPCHECKSUMS=0
>  SKIPPGPCHECK=0
> @@ -87,7 +88,12 @@ SPLITPKG=0
>  SOURCEONLY=0
>  VERIFYSOURCE=0
>  
> -export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-$(date +%s)}
> +if [[ -n $SOURCE_DATE_EPOCH ]]; then
> +	REPRODUCIBLE=1
> +else
> +	SOURCE_DATE_EPOCH=$(date +%s)
> +fi
> +export SOURCE_DATE_EPOCH
>  
>  PACMAN_OPTS=()
>  
> @@ -475,6 +481,12 @@ run_prepare() {
>  }
>  
>  run_build() {
> +	if (( REPRODUCIBLE )); then
> +		# We have activated reproducible builds, so unify source times before
> +		# building
> +		find "$srcdir" -exec touch -h -d @$SOURCE_DATE_EPOCH {} +
> +	fi
> +

I don't like this in run_build().  That will introduce an undocumented
requirement that a PKGBUILD has a build() function to have its source
file timestamps unified.

I am happy with the location suggested here:
https://github.com/anthraxx/pacman/commit/520acf93


>  	run_function_safe "build"
>  }
>  
>

More information about the pacman-dev mailing list