From Fedora Project Wiki


Reproducible builds: Clamp build mtimes to $SOURCE_DATE_EPOCH

Important.png
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

The %clamp_mtime_to_source_date_epoch RPM macro will be set to 1. When an RPM package is built, mtimes of packaged files will be clamped to $SOURCE_DATE_EPOCH which is already set to the date of the latest %changelog entry. As a result, more RPM packages will be reproducible: The actual modification time of files that are e.g. modified in the %prep section will not be reflected in the RPM package.

Owner

Current status

  • Targeted release: Fedora Linux 38
  • Last updated: 2022-11-08
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

This change exists to make RPM package builds more reproducible. A common problem that prevents build reproducibility is the mtime (modification times) of the packaged files.

Suppose we package an RPM package of software called skynet in version 1.0. Upstream released this version at datetime A. A Fedora packager creates the RPM package at datetime B. Unfortunately, the packager needs to patch the sources in the RPM %prep section. When the build runs at datetime C, the modification datetime of the patched file is set to C. When the build runs again in an otherwise identical environment at datetime D, the modification datetime of the patched file is set to D. As a result, the build is not bit-by-bit reproducible, because the datetime of the build is saved in the resulting package. Patching is not necessary to make this happen. When a source file is compiled into a binary file, the modification datetime is also set to the datetime of the build. In practice, the modification datetime of many files packaged in RPM packages is dependent on when the package was actually built.

To eliminate this problem, we propose to clamp build mtimes to $SOURCE_DATE_EPOCH. RPM build in Fedora already sets the $SOURCE_DATE_EPOCH environment variable based on the latest %changelog entry because the %source_date_epoch_from_changelog macros is set to 1. We will also set the %clamp_mtime_to_source_date_epoch macro to 1. As a result, when files are packaged to the RPM package, their modification datetimes are clamped to $SOURCE_DATE_EPOCH (to the latest changelog entry datetime). Clamping means that all files which would have a modification datetime higher than $SOURCE_DATE_EPOCH will have the modification datetime changed to $SOURCE_DATE_EPOCH; files with mtime lower (or equal) to $SOURCE_DATE_EPOCH will retain the original times.

Non-goal

We do not aim to make all Fedora packages reproducible (at least not as part of this change proposal). We just eliminate one problem that we consider the biggest blocker for reproducible builds.

Feedback

Benefit to Fedora

Scope

  • Proposal owners:
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

How To Test

User Experience

Dependencies

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

N/A (not a System Wide Change)

Release Notes