Daniel Milde <daniel@milde.cz> (2021-02-12):
> how do you make reproducible builds when the software is using build
> variables linked via -X?
>
> E.g.
> https://salsa.debian.org/go-team/packages/gdu/-/blob/debian/sid/debian/rules
It's fun for you to ask today while I've toyed with that just yesterday:
https://salsa.debian.org/go-team/packages/crowdsec/-/commit/ddebb3b0fc576a65636fb167912efca5c4dd6fa9
> Is it bad practice to have these build variables at all (maybe except
> version)?
More information about the SOURCE_DATE_EPOCH concept “upstream”:
https://reproducible-builds.org/specs/source-date-epoch/
On the dpkg side that seems to date back to:
dpkg (1.18.19) unstable; urgency=medium
…
* Always set SOURCE_DATE_EPOCH in dpkg-buildpackage and dpkg-source.
* Use the current date if the changelog does not have one. Closes: #849081
…
-- Guillem Jover <guillem@debian.org> Fri, 27 Jan 2017 05:43:36 +0100
I don't know what your upstream could do with the build user
information, I think I'd probably strip it. (That is not to say that you
should add the variables you can see above in the crowdsec case, that's
merely a proof of concept at this stage, to retain all metadata that
upstream is currently setting in their Makefile.)
Cheers,
--
Cyril Brulebois -- Debian Consultant @ DEBAMAX -- https://debamax.com/
Attachment:
signature.asc
Description: PGP signature