* Alexander Sosedkin:
On Fri, Nov 11, 2022 at 11:53 AM Petr Pisar <ppisar(a)redhat.com>
wrote:
> An RPM package itself carry a build time in its RPM header.
> Are we also going to fake this time in the name of
> reproducibility?
My opinion: yes, please do (%use_source_date_epoch_as_buildtime).
And fake the builder hostname (%_buildhost).
And enable back --enable-deterministic-archives in binutils:
(
https://bugzilla.redhat.com/show_bug.cgi?id=1195883).
And do whatever else is necessary to stop shipping binary packages
that users can't reproduce bit-to-bit.
The downside of doing this is that it's no longer possible to check
whether a build happened against a buildroot with a particular fix in
it. The time-based check was never 100% reliable, but it could be used
as a good indicator in the past.
Thanks,
Florian