Use SOURCE_DATE_EPOCH for zip, tar, xz, gzip, rpm, msi #1547
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hi @stevedlawrence, Thank you for your contribution! We really value the time you've taken to put this together. We see that you have signed the Lightbend Contributors License Agreement before, however, the CLA has changed since you last signed it. |
stevedlawrence
force-pushed
the
source_date_epoch
branch
from
5073ba1 to
1ead1bb
Compare
SOURCE_DATE_EPOCH is a standardized environment variable that can be set to create reproducbile builds: https://reproducible-builds.org/docs/source-date-epoch/ If the SOURCE_DATE_EPOCH environment variable is defined, its value is used during the creation of zip, tar, gzip, xz, rpm, and msi files in places where timestamp information is embedded in the resulting file. To support this capability, a new sourceDateEpoch file utility is added which executes the touch command to set the mtime of the provided file/directory and all children. This utility is called on all source files for the listed packages. For zip, this also adds the -o option to native zip, and calls setTime() for the non-native zip. For rpm, this also sets the %use_source_date_epoch_as_buildtime and %clamp_mtime_to_source_date_epoch tunables to 1 to ensure the build time and timestamps embedded in the RPM are set to the epoch. For msi, the SOURCE_DATE_EPOCH variable is also used to generate reproducible name-based UUIDs, using a combination of an identifier and the epoch value. Note that this does not change the "Product" GUID or the build time that is embedded in the MSI. There does not seem to be a way to change these, so MSI builds are not 100% reproducible. However, with these changes the output of tools like msidiff is much smaller and easier to confirm similar builds. If SOURCE_DATE_EPOCH is not set then the current behavior is used. Archives and rpms use timestamps of when the files are modified/created, and MSI uses random GUIDs.
stevedlawrence
force-pushed
the
source_date_epoch
branch
from
1ead1bb to
c1927b7
Compare
muuki88
approved these changes
Jul 24, 2023
There was a problem hiding this comment.
Thanks a lot @stevedlawrence for this contribution. This is super useful.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SOURCE_DATE_EPOCH is a standardized environment variable that can be set to create reproducbile builds:
https://reproducible-builds.org/docs/source-date-epoch/
If the SOURCE_DATE_EPOCH environment variable is defined, its value is used during the creation of zip, tar, gzip, xz, rpm, and msi files in places where timestamp information is embedded in the resulting file.
To support this capability, a new sourceDateEpoch file utility is added which executes the touch command to set the mtime of the provided file/directory and all children. This utility is called on all source files for the listed packages.
For zip, this also adds the -o option to native zip, and calls setTime() for the non-native zip.
For rpm, this also sets the %use_source_date_epoch_as_buildtime and %clamp_mtime_to_source_date_epoch tunables to 1 to ensure the build time and timestamps embedded in the RPM are set to the epoch.
For msi, the SOURCE_DATE_EPOCH variable is also used to generate reproducible name-based UUIDs, using a combination of an identifier and the epoch value. Note that this does not change the "Product" GUID or the build time that is embedded in the MSI. There does not seem to be a way to change these, so MSI builds are not 100% reproducible. However, with these changes the output of tools like msidiff is much smaller and easier to confirm similar builds.
If SOURCE_DATE_EPOCH is not set then the current behavior is used. Archives and rpms use timestamps of when the files are modified/created, and MSI uses random GUIDs.