Chris Lamb: > Hey Johannes, > >> Multiple builds of the same source package will set SOURCE_DATE_EPOCH to >> the same value but will result in a different Build-Date. > > … but that would mean that a reproducible build will result in .buildinfo > files with different contents (varying on Build-Date). A .buildinfo file documents the build and is not expected to be identical between different builds (see also Josch's link). For example when using sbuild you will always get a different Build-Path if you use the default settings (and this should be fine). > That seems, at the very least, somewhat non-intuitive to me. Yes ;] > A case might even be made that varying on Build-Date makes our distribution > problem more difficult; as the files aren't identical we can't easily > "de-duplicate" them with detached signatures. Perhaps I'm missing something > obvious. As described above that's by design and when getting different .buildinfos from different builders there will be more differences (Build-Path, Environment(, Build-Architecture)). So a trivial de-duplication won't work anyway.
Description: OpenPGP digital signature