Do the file timestamps in ISOs matter ?

[Chris Lamb]

> > I believe [--set_all_file_dates] is entirely unnecessary
> 
> if SOURCE_DATE_EPOCH sets the default, there must be some option to set
> non-default values, especially the value which is default without
> SOURCE_DATE_EPOCH.

Consider the state space:

If someone does not set SOURCE_DATE_EPOCH, they are going to get an
unreproducible regardless. Therefore, whichever set_all_file_dates option
they choose is entirely meaningless and thus xorriso can simply inherit
{a,c,m}time just as before.

If someone does set SOURCE_DATE_EPOCH, they want a reproducible image by
definition. Thus, inheriting {a,c}time from the filesystem makes no sense
as their image will then not be reproducible and setting {a,c,m}time to a
specific date is not necessary as that can be trivially done pre-build.

Therefore folding it all into inheriting {a,c}time from mtime iff S_D_E
is the logical conclusion, from the angles of complicating xorriso itself
and complicating the end-user UI for someone who wants a reproducible ISO.

Putting it another way, the "semi-reproducible" scenario seems so unlikely
we can entirely discount it and thus there is need to for people who "just"
want a reproducible ISO to tediously scour the documentation to discover they
need to set --set_all_file_dates.

> I decided to let SOURCE_DATE_EPOCH only set the defaults of existing
> and new options, in order to protect ISO producers like grub-mkrescue from
> negative effects by overriding their program options.

They won't be run with SOURCE_DATE_EPOCH exported.

> Not to forget that it offers those users a workaround, who do not agree
> with the final decision about the question posed here, but want to use
> SOURCE_DATE_EPOCH nevertheless.

I just don't see this usecase of being "partly" reproducible being remotely
useful to anyone, ever. I'm probably misunderstanding something, however.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby at debian.org / chris-lamb.co.uk
       `-