Make builds reproducible #2
Conversation
This needs to pass |
|
We'll probably want to do some defaulting here so that if SOURCE_DATE_EPOCH is not set, it defaults to Time.now. |
Sure! I was (and am still) not sure about where are the entry points and how to avoid tests everywhere. For today, I will stick to try to understand what is going wrong with the issue with the images that are altered to add the current date and time to vendored files. I will then setup a wip branch that people can use to start builds and hopefully have the same artifacts as me. In the meantime, let's mark this as a draft. |
|
I have an idea how we might make a single entry point here. Noodling on it now. Mind if I push a commit to your branch if I get it working? |
Pass the SOURCE_DATE_EPOCH down to the docker containers to allow reproducible builds. When generating the changelog entry, also rely on this environment variable. The caller is expected to provide a value for this variable.
This creates the source_date_epoch variable on the project object, picking it up from the SOURCE_DATE_EPOCH env var, or using the current time if that isn't set. It converts all times to UTC so it doesn't matter what time zone you are in when you run it.
nmburgan
force-pushed
the
reproducible-builds
branch
from
9ff1e10 to
611dd7a
Compare
The openvox-agent pacakage contains some bits from openssl, in
particular a perl script `tsget.pl` and a symbolic link `tsget` that
points to it.
`dh_perl` wants to normalize shebangs in perl files, but depending on the
order files are enumerated, it breaks builds reproducibility:
* When `dh_perl.pl` is found first, it is normalized (replaced by a new
regular file with the normalized shebang), and then when
`dh_perl` is found it does not need normalizing and is kept
unchanged.
The package has `dh_perl.pl` as a regular file, and `dh_perl` as a
symbolic link to that file.
* When `dh_perl` is found first, it is normalized (replaced by a new
regular file with the normalized shebang), and then `dh_perl.pl` is
found and it is also normalized.
The package has `dh_perl.pl` and `dh_perl` as two regular files.
While some debhelpers can have support for an `-X` flag to exclude
files, `dh_perl` ignore it, so we cannot rely on it.
Because perl files in the OpenVox packages are only third-party tools,
we can skip this helper to avoid breaking builds reproducibility.
Pass the SOURCE_DATE_EPOCH down to the docker containers to allow reproducible builds.
When generating the changelog entry, also rely on this environment variable.
The caller is expected to provide a value for this variable.