←back to thread

Debian bookworm live images now reproducible

(lwn.net)
764 points bertman | 1 comments | 26 Mar 25 17:22 UTC | HN request time: 0s | source
Show context
imcritic ◴[26 Mar 25 17:36 UTC] No.43484638[source]
I don't get how someone achieves reproducibility of builds: what about files metadata like creation/modification timestamps? Do they forge them? Or are these data treated as not important enough (like it 2 files with different metadata but identical contents should have the same checksum when hashed)?
replies(10): >>43484658 #>>43484661 #>>43484682 #>>43484689 #>>43484705 #>>43484760 #>>43485346 #>>43485379 #>>43486079 #>>43488794 #
echoangle ◴[26 Mar 25 18:38 UTC] No.43485379[source]
Maybe dumb question but why would this change the reproducibility? If you clone a git repo, do you not get the meta data as it is stored in git? Or would the files have the modification date of the cloning?

I never actually checked that.

replies(1): >>43485393 #
mathfailure ◴[26 Mar 25 18:40 UTC] No.43485393[source]
You clone source from git, but then you use them to build some artifacts. The artifacts build time may differ, yet with reproducible builds - the artifact should match.
replies(1): >>43485852 #
echoangle ◴[26 Mar 25 19:15 UTC] No.43485852[source]
Right, but if you only clone and build, why would the files modification date be different compared to the version that was committed to git? Does just cloning a repo already lead to different file modification dates in my local copy?
replies(1): >>43485956 #
hoten ◴[26 Mar 25 19:22 UTC] No.43485956[source]
Git does not store or restore file modification times.
replies(2): >>43486058 #>>43486400 #
1. echoangle ◴[26 Mar 25 19:52 UTC] No.43486400[source]
Ah ok, that explains it.