Reproducible Build #1341
Reproducible Build #1341
Conversation
| @@ -528,6 +528,10 @@ __dyn_package() { | |||
| echo -n "${BUILD_ID}" > "${PORTAGE_BUILDDIR}"/build-info/BUILD_ID | |||
| fi | |||
|
|
|||
| if [[ "${BUILD_TIME}" == "ebuild" ]]; then | |||
| find ${D} -exec touch -h -r ${EBUILD} {} \; | |||
There was a problem hiding this comment.
- need to quote ${D}
- Modifying the timestamps of installed files is conditionally problematic, since installed file contents can contain the timestamps of other installed file contents and require a match. In particular, this is a problem for python bytecode. If you touch the timestamp of
*.pyfiles, then all*.pycfiles will be invalidated and the next time they are imported as root, the interpreter will regenerate and rewrite the .pyc files with new values.
There was a problem hiding this comment.
@eli-schwartz thank you for the feedback
I'll change the ${D} accordingly.
As for the timestamp, any alternative suggestion to make it deterministic?
There was a problem hiding this comment.
It's not possible if we are to fulfill the "Preservation of file modification times" requirement of PMS:
https://dev.gentoo.org/~ulm/pms/head/pms.html#x1-146001r1
There was an ignore-mtime option dropped from #991 due to the same requirement.
There was a problem hiding this comment.
Making file metadata deterministic when PMS explicitly says it shall not be deterministic is a tough topic.
All I can say is that from a pure usability standpoint, you don't really know what software depends on the timestamp. Python bytecode may be only one example.
Setting $SOURCE_DATE_EPOCH is explicitly respected by python bytecode to use a slower and less efficient bytecode invalidation format. It's also the actual reproducible builds specification. It is likely any other software depending on timestamps, will respect that variable if it respects anything at all.
There was a problem hiding this comment.
Is there a chance we can revise this specification?
Reproducibility has become more and more relevant these days, and it has became relevant to us Gentoo users especially since binary packages are offered officially.
Just like binary packages of other distros (e.g. Debian, even Arch is activelly spending effort on it), it would be nice to be able to verify the official build somehow, even if it means having to match the USE flags and other configs.
There was a problem hiding this comment.
I've submitted this ticket for EAPI to allow mtime modification in future version.
timkenhan
force-pushed
the
reproducibility
branch
from
bd7c238
to
7bfbb2a
Compare
Added a couple environment variables that alters BUILD_TIME & BUILD_ID to have deterministic values.
BUILD_TIME: can be "pkg" for the current time of the package build (default) or "ebuild" for the ebuild file's timestamp.
BUILD_ID_TYPE: can be "int" for autoincrement (default) or "hash" for the hash of the environment.
Currently tested to work with sys-apps/baselayout package with the command:
Known issues: