On Fri, Nov 11, 2022 at 2:03 PM Florian Weimer <fweimer(a)redhat.com> wrote:
* Alexander Sosedkin:
> On Fri, Nov 11, 2022 at 11:53 AM Petr Pisar <ppisar(a)redhat.com> wrote:
>> An RPM package itself carry a build time in its RPM header.
>> Are we also going to fake this time in the name of
> My opinion: yes, please do (%use_source_date_epoch_as_buildtime).
> And fake the builder hostname (%_buildhost).
> And enable back --enable-deterministic-archives in binutils:
> And do whatever else is necessary to stop shipping binary packages
> that users can't reproduce bit-to-bit.
The downside of doing this is that it's no longer possible to check
whether a build happened against a buildroot with a particular fix in
it. The time-based check was never 100% reliable, but it could be used
as a good indicator in the past.
No, no, false dichotomy alert.
This is not a case where reproducibility rules out auditability.
Not only build system (koji) can track exact versions of builddeps
(and if it doesn't, it really should, regardless of reproducibility),
I'm not against including builddep versions into the artifacts,
in any form, as long as it's done in a reproducible manner.
E.g., I have no problem with NixOS having them hashed
and used as the installation prefix, not at all.
In RPM world, I've even entertained an idea of having a subpackage
for auditability not unlike how we have debuginfo,
since rebuilding a package reproducibly requires builddep pinning.
But if that's avoidable, I'd rather just not mix artifacts with meta.