[Rpm-maint] Reproducible packages
Nicolas Vigier
boklm at mars-attacks.org
Wed Sep 25 10:20:07 UTC 2013
Hello,
While running successive "rpmbuild -bs" commands to create a source rpm,
I noticed that it creates different rpm files each time, although the
spec file and sources tarball are exactly the same. The reason is that
the package includes tags such as BUILDTIME and COOKIE (build time +
build host).
I think that in some cases, it can be useful to be able to reproduce
exact rpm file.
Here is a proposal for two patches that add an option to set the build
time and the build host to some fixed values, so you can reproduce the
packages :
- if %{_buildtime} is defined, then it is used as the build time
- if %{_buildhost} is defined, then it is used as the build host
With those patches applied, I can reproduce a source package with a
command like this :
$ rpmbuild --define "_buildtime 1" --define "_buildhost something" -bs *.spec
This is not enough to be able to reproduce binary packages, as the
%{buildroot} files also need to have the same modification time in
addition to same content, but I think it is a first step in that
direction.
Nicolas
More information about the Rpm-maint
mailing list