[Rpm-maint] [rpm-software-management/rpm] build_mtime_policy clamp_source_date_epoch flag does not result in reproducible identical builds (Issue #4035)

prarit notifications at github.com
Thu Nov 6 15:31:39 UTC 2025 

prarit created an issue (rpm-software-management/rpm#4035)

**Describe the bug**

I am using the deprecated flag clamp_mtime_to_source_date_epoch.

[prarit at prarit rpm]$ git grep clamp_mtime_to_source_date_epoch
build/files.cc:1029:        if (srcdate && rpmExpandNumeric("%{?clamp_mtime_to_source_date_epoch}")) {
build/files.cc:1033:                _("%%clamp_mtime_to_source_date_epoch is deprecated, please use %%build_mtime_policy\n"));
docs/manual/buildprocess.md:105:`%clamp_mtime_to_source_date_epoch`   | Ensure file timestamps are not newer than `SOURCE_DATE_EPOCH` (deprecated)

to generated a reproducible build.

Switching to the recommended flag 'build_mtime_policy clamp_source_date_epoch' which does not appear to work.  When I do this I get a different RPM database file between two subsequent builds.  When I use clamp_mtime_to_source_date_epoch the RPM database files are identical AFAICT.


**To Reproduce**
Steps to reproduce the behavior:

Use a relatively simple spec file:

Name: nodejs-symlinks
Version: 999
Release: 1
Summary: nodejs24 symlinks
License: MIT
BuildArch: noarch

%global _buildhost reproducible
# this flag is marked as deprecated in the RPM documention.  The replacement
# flag, build_mtime_policy clamp_source_date_epoch, does not appear to work.
%global clamp_mtime_to_source_date_epoch 1
%global use_source_date_epoch_as_buildtime 1

%description
Symlinks for nodejs24. This works around the weird Fedora packaging.

%install
mkdir -p %{buildroot}/usr/bin
ln -s node-24 %{buildroot}/usr/bin/node
ln -s npm-24 %{buildroot}/usr/bin/npm

%files
/usr/bin/node
/usr/bin/npm

^^^^ using this spec file, with clamp_mtime_to_source_date_epoch results in identical RPM databases.

Switching the line 

%global clamp_mtime_to_source_date_epoch 1

to

%global build_mtime_policy clamp_source_date_epoch

does not result in identical RPM databases indicating that the build time has changed between builds.

Please link or attach the packages or spec files involved.

**Expected behavior**

Using "build_mtime_policy clamp_source_date_epoch" should have resulted in identical builds.

**Output**
If applicable, add copy of the output on the command line or a screenshots to help explain your problem.

**Environment**
 - OS / Distribution: Fedora 43
 - Version:  RPM version 4.19.1.1


**Additional context**
Add any other context about the problem here.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/4035
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/4035 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20251106/bff9a591/attachment-0001.htm>

More information about the Rpm-maint mailing list