←back to thread

Debian bookworm live images now reproducible

(lwn.net)
764 points bertman | 2 comments | 26 Mar 25 17:22 UTC | HN request time: 0s | source
Show context
imcritic ◴[26 Mar 25 17:36 UTC] No.43484638[source]
I don't get how someone achieves reproducibility of builds: what about files metadata like creation/modification timestamps? Do they forge them? Or are these data treated as not important enough (like it 2 files with different metadata but identical contents should have the same checksum when hashed)?
replies(10): >>43484658 #>>43484661 #>>43484682 #>>43484689 #>>43484705 #>>43484760 #>>43485346 #>>43485379 #>>43486079 #>>43488794 #
purkka ◴[26 Mar 25 17:40 UTC] No.43484689[source]
Generally, yes: https://reproducible-builds.org/docs/timestamps/

Since the build is reproducible, it should not matter when it was built. If you want to trace a build back to its source, there are much better ways than a timestamp.

replies(1): >>43485622 #
ryandrake ◴[26 Mar 25 18:58 UTC] No.43485622[source]
C compilers offer __DATE__ and __TIME__ macros, which expand to string constants that describe the date and time that the preprocessor was invoked. Any code using these would have different strings each time it was built, and would need to be modified. I can't think of a good reason for them to be used in an actual production program, but for whatever reason, they exist.
replies(4): >>43485670 #>>43486042 #>>43487552 #>>43488994 #
mananaysiempre ◴[26 Mar 25 19:28 UTC] No.43486042[source]
And that’s why GCC (among others) accepts SOURCE_DATE_EPOCH from the environment, and also has -Wdate-time. As for using __DATE__ or __TIME__ in code, I suspect that was more helpful in the age before ubiquitous source control and build IDs.
replies(1): >>43488470 #
cperciva ◴[26 Mar 25 23:01 UTC] No.43488470{3}[source]
Source control only helps you if everything is committed. If you're, say, working on changes to the FreeBSD boot loader, you're probably not committing those changes every time you test something but it's very useful to know "this is the version I built ten minutes ago" vs "I just booted yesterday's version because I forgot to install the new code after I built it".
replies(5): >>43489912 #>>43490489 #>>43492048 #>>43492803 #>>43492948 #
lmm ◴[27 Mar 25 02:45 UTC] No.43489912{4}[source]
> If you're, say, working on changes to the FreeBSD boot loader, you're probably not committing those changes every time you test something

Whyever not? Does the FreeBSD boot loader not have a VCS or something?

replies(2): >>43489986 #>>43490170 #
steveklabnik ◴[27 Mar 25 03:37 UTC] No.43490170{5}[source]
A subtlety that may be lost: FreeBSD uses CVS, and so there isn't a way to commit locally while you're working, like with a DVCS.
replies(1): >>43495755 #
cperciva ◴[27 Mar 25 17:21 UTC] No.43495755{6}[source]
FreeBSD hasn't used CVS since 2008.
replies(1): >>43495830 #
steveklabnik ◴[27 Mar 25 17:29 UTC] No.43495830{7}[source]
Huh! So, before I posted this, I went to go double check, and found https://wiki.freebsd.org/VersionControl. What I missed was the (now obvious) banner saying

> The sections below are currently a historical reference covering FreeBSD's migration from CVS to Subversion.

My apologies! At the end of the day, the point still stands in that SVN isn't a DVCS and so you wouldn't want to be committing unfinished code though, correct?

(I suspect I got FreeBSD mixed up with OpenBSD in my head here, embarrassing.)

replies(2): >>43498328 #>>43500995 #
1. cperciva ◴[28 Mar 25 02:53 UTC] No.43500995{8}[source]
Well yes, but we've actually migrated to Git now. ;-)
replies(1): >>43505962 #
2. steveklabnik ◴[28 Mar 25 14:35 UTC] No.43505962[source]
Welp! Egg on my face twice!