[Rpm-maint] [rpm-software-management/rpm] Reproducible builds improvements (Issue #2894)

Panu Matilainen notifications at github.com
Wed Feb 28 07:46:13 UTC 2024


> As @Conan-Kudo mentioned above, we have to strip metadata _anyway_. At least `HEADERIMMUTABLE`, `SIGSIZE`,
> `SIGMD5`, `SHA1HEADER`, `SHA256HEADER` are "irreproducible"

Wait, what? If those differ then the packages do differ, so its not actually bit-per-bit identical. Which is what *I've* assumed reproducability to mean. This just goes to point out how completely different expectations people have. No wonder having a meaningful discussion about reproducable packages always seems so hard :smile: 

> and `OPTFLAGS` and `PLATFORM` are often different because a "random" noarch package is selected. If you have to strip/ignore/treat-in-a-special-way those fields, then it doesn't make much difference to also handle `BUILDTIME` and `BUILDHOST` in the same way. We have to strike a balance between having useful metadata and ease of reproducibility. Since bit-for-bit reproducibility is impossible with signatures, then I think the current balance of using real `BUILDTIME` and `BUILDHOST` is good.

...but okay if we start down the filtering road (I don't disagree, I just clearly don't know what everybody's asssumptions are), then we arrive at this old discussion that never really went anywhere: https://github.com/rpm-software-management/rpm/discussions/2023
Which of course turns the discussion into "which tags should be filtered", and because I'm quite sure not everybody thinks "release" is one of them, just for example.

Having a written definition of what "reproducability" means would help driving towards that goal. People clearly have very, very different ideas about it.

It's good to have this discussion, but as discussion is what this is, I'm moving this there. Once something concrete emerges, we can open ticket(s).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2894#issuecomment-1968407078
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2894/1968407078 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240227/c95b3419/attachment.html>


More information about the Rpm-maint mailing list