Promote the default reproducible build date

Simon Josefsson simon at josefsson.org
Wed Jan 22 13:09:03 GMT 2025 

Sergey Ponomarev <stokito at gmail.com> writes:

> The 1980-02-01 was chosen as a default reproducible date in many tools
> like Gradle and Maven (any others?).
> Could you mention it on the page
> https://reproducible-builds.org/docs/timestamps/
> We need to put rationale why the date was chosen to be a default.
>
> Some other tools like archivers may need a simpler way to generate
> repo archives without timestamps.
> For example today I wanted to do this for a tar command and found that
> this is not so easy to do. Search shows the StackOverflow "How to
> create a tar file that omits timestamps for its contents?" thread the
> points to the article official reproducible-builds article "Archive
> metadata" that proposes the long command:
>
> tar --sort=name \
>       --mtime="@${SOURCE_DATE_EPOCH}" \
>       --owner=0 --group=0 --numeric-owner \
>       --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \
>       -cf product.tar build

Another useful reference on this is the GNU Tar manual section
reproducibility:

https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html

> I have a few propositions:
> 1. If the SOURCE_DATE_EPOCH var is empty use 1980-02-01 by default
> --mtime="@${SOURCE_DATE_EPOCH:-318211200}"
> 2. Maybe we can propose a patch to the gnu tar to read the
> SOURCE_DATE_EPOCH env and use it by default?

Please don't push the SOURCE_DATE_EPOCH idiom into upstream code.  It is
a good idiom that is needed for packaging work.  But as a upstream
maintainer for a bunch of projects my impression is that patches that
involve SOURCE_DATE_EPOCH are the wrong way to resolve underlying
reproducability problems.  Please report the underlying reproducability
problem instead.

/Simon

> 3. Maybe we can propose a patch to the gnu tar to have a short option
> --reproducible that will set other options --mtime --owner --group
> --pax-option to the needed values.
>
> We should make this easier to use. Other tools like zip, zstd may also
> need for same behaviour.
>
> _______________________________________________
> Reproducible-builds mailing list
> Reproducible-builds at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/reproducible-builds
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20250122/0db2dc88/attachment.sig>

More information about the Reproducible-builds mailing list