newpavlov
commented
1 year ago @kornelski Would you be willing to accept an implementation PR or do you have some concerns about the proposed design?
Closed newpavlov closed 1 year ago
newpavlov
commented
1 year ago @kornelski Would you be willing to accept an implementation PR or do you have some concerns about the proposed design?
As far as I understand, right now
cargo-debuses a somewhat peculiar approach to reproducibility. It reads modification time of manifest and then uses it as mtime for files included into control and data tarballs. It was really surprising when I got seemingly reproducible builds at first, but when I reconstructed the build environment from scratch later, I got different package hashes. The problem is that cloning code from a repository sets new mtime for source files, meaning that tarballs will use different mtimes as well.SOURCE_DATE_EPOCHis the preferred way for achieving reproducibility around timestamps. If it's set, compliant tooling clamps all timestamps included into a package to that time. I thinkcargo-debshould properly support it instead of the fragile manifest hack as both CLI argument and environmental variable, i.e.: