Date: Thu, 06 Mar 2025 18:01:12 -0800
On Thursday, 6 March 2025 16:32:01 Pacific Standard Time Nikolaos D. Bougalis
via Std-Proposals wrote:
> Even if this functionality were added, it would not affect reproducible
> builds in _any_ way, _unless the developers of the software chose to use
> it_! Given that it is largely incompatible with reproducible/deterministic
> builds, why would they?
Because a lot of software developers don't know that their software is
expected to be reproducible or forced to be.
Software compiled in the mainstream Linux distributions, for example, is built
in reproducible mode. The reason for why they do it is irrelevant: only the
fact they do it. Therefore, you have to ask yourself: where did they get the
timestamp?
Take rpm, for example. The docs[1] say that it may be configured to use the
last changelog entry's date. That means it will reasonably change every now
and again and will be reasonably accurate too.
But it cannot be guaranteed to be unique across packages. Think of a library
that does exactly the first motivation in the paper: generate a time-based
UUID. Suppose this library is used in two separate packages in the distro. Now
suppose the packages were updated by an automated system ("rebuild after gcc
upgrade" for example): the chance that the timestamp in the changelog is in
the same second is non-negligible.
[1] https://rpm-software-management.github.io/rpm/manual/
buildprocess.html#reproducability
via Std-Proposals wrote:
> Even if this functionality were added, it would not affect reproducible
> builds in _any_ way, _unless the developers of the software chose to use
> it_! Given that it is largely incompatible with reproducible/deterministic
> builds, why would they?
Because a lot of software developers don't know that their software is
expected to be reproducible or forced to be.
Software compiled in the mainstream Linux distributions, for example, is built
in reproducible mode. The reason for why they do it is irrelevant: only the
fact they do it. Therefore, you have to ask yourself: where did they get the
timestamp?
Take rpm, for example. The docs[1] say that it may be configured to use the
last changelog entry's date. That means it will reasonably change every now
and again and will be reasonably accurate too.
But it cannot be guaranteed to be unique across packages. Think of a library
that does exactly the first motivation in the paper: generate a time-based
UUID. Suppose this library is used in two separate packages in the distro. Now
suppose the packages were updated by an automated system ("rebuild after gcc
upgrade" for example): the chance that the timestamp in the changelog is in
the same second is non-negligible.
[1] https://rpm-software-management.github.io/rpm/manual/
buildprocess.html#reproducability
-- Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org Principal Engineer - Intel DCAI Platform & System Engineering
Received on 2025-03-07 02:01:15