On Sun 2016-11-13 22:33:29 +0900, Chris Lamb wrote: >> Multiple builds of the same source package will set SOURCE_DATE_EPOCH to >> the same value but will result in a different Build-Date. > > … but that would mean that a reproducible build will result in .buildinfo > files with different contents (varying on Build-Date). > > That seems, at the very least, somewhat non-intuitive to me. It is definitely not what most of us initially expected, but it is actually what we want. i look at it this way: * Ideally, the generated binary packages are reproducible *even when the build environment changes*. For example, I build a package as the user "dkg" on machine "alice" in path /home/dkg/src/foo, and you build it as "lamby" on machine "bob" in path /home/lamby/work/foo/foo, and we should get the same outcome. * The buildinfo file documents things that *might* influence the build, but it also documents things that *should not* influence the build. Two differing buildinfo files that produced the same output effectively say "even when the build environment varies in the way that these two do, the package is still reproducible" * We actually don't want people to have to replicate the exact build environment to get a binary match. I think it was Ximin who pointed out: "all software is reproducible if you create an exact atom-by-atom copy of the original build computer before building". But that's not what we really mean by reproducible builds. In short, we *want* buildinfos to vary, while we want the generated binary artifacts to be reproducible. --dkg
Attachment:
signature.asc
Description: PGP signature