[Rpm-maint] [rpm-software-management/rpm] rfe: allow rejecting packages with invalid timestamp on last changelog entry (Discussion #3571)

Wed Feb 12 16:16:03 UTC 2025

When doing test rebuilds for rpms after the Fedora 42 mass rebuild, I found a bunch of packages which failed repro test because they didn't have $SOURCE_DATE_EPOCH properly set during the build. When discussing the causes with some of the maintainers, I was asked "why wasn't the build immediately rejected", and I couldn't give a good answer. I think it makes sense for distro builds to fail in those cases.

I saw two kinds of issues:
1. the last changelog entry is in the future when the build is made. So far, this happens for packages where %autochangelog is *not* used, and the maintainer inserts a changelog entry after midnight in the local time zone, but the build actually happens before midnight UTC, so the $SOURCE_DATE_EPOCH timestamp is in the future during the build (https://docs.fedoraproject.org/en-US/reproducible-builds/common_problems/)
2. there is no changelog. This is caused by a forgotten or mistyped `%autochangelog` in the `%changelog` section and other similar spec file formatting problems.

Thus, I'd like to request a new setting like `%require_valid_changelog_timestamps`, with a default of 0. Fedora could set it to 1 in mock and koji. This would reject builds with:
1. no changelog
2. changelog with invalid dates or non-monotonic timestamps
3. changelog with entries in the future

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/discussions/3571
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/repo-discussions/3571 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20250212/7ee634fd/attachment.htm>