On Fri, Nov 11, 2022 at 2:03 PM Florian Weimer <fwei...@redhat.com> wrote: > > * Alexander Sosedkin: > > > On Fri, Nov 11, 2022 at 11:53 AM Petr Pisar <ppi...@redhat.com> wrote: > >> An RPM package itself carry a build time in its RPM header. > >> Are we also going to fake this time in the name of > >> reproducibility? > > > > My opinion: yes, please do (%use_source_date_epoch_as_buildtime). > > And fake the builder hostname (%_buildhost). > > And enable back --enable-deterministic-archives in binutils: > > (https://bugzilla.redhat.com/show_bug.cgi?id=1195883). > > And do whatever else is necessary to stop shipping binary packages > > that users can't reproduce bit-to-bit. > > The downside of doing this is that it's no longer possible to check > whether a build happened against a buildroot with a particular fix in > it. The time-based check was never 100% reliable, but it could be used > as a good indicator in the past.
No, no, false dichotomy alert. This is not a case where reproducibility rules out auditability. Not only build system (koji) can track exact versions of builddeps (and if it doesn't, it really should, regardless of reproducibility), I'm not against including builddep versions into the artifacts, in any form, as long as it's done in a reproducible manner. E.g., I have no problem with NixOS having them hashed and used as the installation prefix, not at all. In RPM world, I've even entertained an idea of having a subpackage for auditability not unlike how we have debuginfo, since rebuilding a package reproducibly requires builddep pinning. But if that's avoidable, I'd rather just not mix artifacts with meta. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
