Create .changes files for reproducible builds #3064
Conversation
|
No, as the generated content depends on all other packages in the repo, e.g. version number and weakremovers. |
JanZerebecki
force-pushed
the
sde-create-release-changes-now
branch
from
d555cf0
to
63a8d50
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3064 +/- ##
==========================================
- Coverage 28.31% 28.24% -0.08%
==========================================
Files 86 86
Lines 14799 14840 +41
==========================================
Hits 4191 4191
- Misses 10608 10649 +41 ☔ View full report in Codecov by Sentry. |
|
Now it should only change the changes files if there is something else to commit. Note: after this is merged, the %changelog in the spec.in files in 000package-groups probably needs to be removed before the following run. |
release rpm files currently do not have .changes files, but these are needed to extract SOURCE_DATE_EPOCH for reproducible builds. Using the time stamp of the last commit to any of the input, which is the 000package-groups and 000update-repos source package, as the time for the changes entry would be reproducible, however there is resistance to that. The other date that is related is the time of the last source change for any input to the whole distribution, however AFAIK this date is not cheap enough to compute for OBS-VCS. This hopefully changes once we move to git. However to not delay making progress with reproducible builds in Factory, I propose this change which makes the output of this script non-reproducible, by using the current wall-clock time. But only when this script produced a change to be commited. The release binary rpms will still be reproducible. We can revisit making the generated source reproducible, later. See https://reproducible-builds.org/ for more general information on this topic.
JanZerebecki
force-pushed
the
sde-create-release-changes-now
branch
from
63a8d50
to
57110cc
Compare
release rpm files currently do not have .changes files, but these are needed to extract SOURCE_DATE_EPOCH for reproducible builds.
Using the time stamp of the last commit to the input, which is the 000package-groups source package, as the time for the changes entry would be reproducible, however there is resistance to that.
The other date that would is somewhat related is the time of the last source change for any input to the whole distribution, however AFAIK this date is not cheap enough to compute for OBS-VCS. This hopefully changes once we move to git. But I think the change date of 000package-groups makes more sense conceptually, because AFAIK that is the only information that can causes a change.
However to not delay making progress with reproducible builds in Factory, I propose this change which is non-reproducible, by using the current wall-clock time. We can revisit this later.
See https://reproducible-builds.org/ for more general information on this topic.
This is an alternative for: #3062