Firstyear
commented
4 months ago It's not a regression, we never claimed to support reproducibility in any capacity.
Reproducibility has limited and questionable value, so we won't be spending our time on this. PR's welcome.
While the output of audit and on a run not intended to reproduce also the error result is useful, the ability to automatically reproduce build artifacts like the vendor archive is also useful.
If between two runs the list of rustsec advisories changes then it becomes cumbersome to test a vendor archive for reproducibility. While https://github.com/openSUSE/obs-service-cargo_vendor/issues/64 can be worked around with diffoscope, the issue described here is more cumbersome to work around and an unacceptable regression compared to obs-service-cargo_vendor 0.4.5 in Factory.
The proposed work around in https://github.com/openSUSE/obs-service-cargo_vendor/issues/72 is too much manual work.
For the general concept see: https://reproducible-builds.org/
For openSUSE Tumbleweed and other distributions we want to be able to verify that its files that were built like the vendor archive have the expected content without needing to manually review them. This is currently a necessary manual step for reviewing submit requests. It is also necessary that it can be done any time later. Hopefully in the future this will be tested by https://github.com/openSUSE/obs-service-source_validator to save manual work during submit request review, so this needs to work in automation across all obs source services, without knowledge specific to each service implementation.