Hi Simon, > > This attempts to make > > reproducible tarballs by sorting the files and passing the > > "--mtime=<date>" option to tar. ... > Having the same mtime on all files in a tarball
First question: What is the point of doing that? Reproducibility is about verifying that an artifact A was generated from a source S. When I, as a GNU maintainer or uploader, create a tarball and upload it to ftp.gnu.org, that tarball is the source S. Because that's what I sign with my GPG key. The commits in the git repo aren't the source, and even the git checkout on my disk aren't the source — because I am free to unpack and repack the tarball as I like, before I upload it to ftp.gnu.org. When someone runs a complex build on possibly untrusted servers in the cloud, then it makes sense to view the tarball as an artifact A and the git repository as the source S. (If the git repository is hosted elsewhere. If the git repository is being hosted on the same untrusted servers, it is not sufficient.) As a consequence, please make such modifications dependent on an option or environment variable (maybe SOURCE_DATE_EPOCH [1]?); don't activate them for everyone. > 1) Having the same mtime on all files in a tarball may cause problems Definitely. HP-UX 'make' attempts to rebuilds a file Y that depends on a file X, if Y and X have the same timestamp (mtime). It is long known that you have to have actually different timestamps for some files. Bruno [1] https://reproducible-builds.org/docs/source-date-epoch/
