stevedlawrence opened a new pull request, #1214: URL: https://github.com/apache/daffodil/pull/1214
A common source of differences in our release artifacts are embedded timestamps. The latest version of sbt-native-packager, used to create these artifacts now supports the SOURCE_DATE_EPOCH environment variable which provides control over these embedded timestamps. When building the release candidate, we now set the SOURCE_DATE_EPOCH to the UNIX timestamp of when the commit being built was merged (i.e. the git "committer" time), allowing for reproducible builds. There are some caveats: * The MSI installer includes one UUID and timestamp that cannot be changed. Fortunately, msidiff shows this is the only difference so is straightforward to verify * The RPM created by the release candidate script embeds a GPG signature which has a timestamp of when the signature was created, which cannot be changed. To verify RPM reproducibility, the signature must removed with rpmsign --delsign * Zip files still include a timestamp in an extended header. I'll report to sbt-native-packager and see if a fix can be included in the next release. DAFFODIL-2890 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
