On Fri, Nov 11, 2022 at 2:03 PM Florian Weimer
<fweimer(a)redhat.com> wrote:
>
> * Alexander Sosedkin:
>
> > On Fri, Nov 11, 2022 at 11:53 AM Petr Pisar <ppisar(a)redhat.com> wrote:
> >> An RPM package itself carry a build time in its RPM header.
> >> Are we also going to fake this time in the name of
> >> reproducibility?
> >
> > My opinion: yes, please do (%use_source_date_epoch_as_buildtime).
> > And fake the builder hostname (%_buildhost).
> > And enable back --enable-deterministic-archives in binutils:
> > (
https://bugzilla.redhat.com/show_bug.cgi?id=1195883).
> > And do whatever else is necessary to stop shipping binary packages
> > that users can't reproduce bit-to-bit.
>
> The downside of doing this is that it's no longer possible to check
> whether a build happened against a buildroot with a particular fix in
> it. The time-based check was never 100% reliable, but it could be used
> as a good indicator in the past.
No, no, false dichotomy alert.
This is not a case where reproducibility rules out auditability.
Sure, not in principle. I merely wanted to point out that this takes a
way a bit of information that was useful to some of us before.
Thanks,
Florian