Hi! On Sun, 2016-11-13 at 14:21:45 +0100, Johannes Schauer wrote: > Also see: > > https://wiki.debian.org/ReproducibleBuilds/BuildinfoFiles#Semantics > > I've heard many upstream developers who were initially very much against > purging the timestamp when the build was done from their build artifacts > because they valued the information of when a build was done (whatever their > reasons are). So this information could simply be retained in that field in > the > .buildinfo file.
I've always claimed that myself, and that was one of the reasons I was reluctant to eliminate the date from the ar containers, I guess at the time I could not fully express concretely my gut feeling, but now I can. :) The build date is important, because there are actions and events that are time-based, but are still external to the confinement of the build environment. Say, a disk failure corrupting data on the chroot; a broken debootstrap creating disfunctional chroots, etc, etc. Some of those might not be immediately visible inside the affected system. But once known it is useful to be able to say which packages might be suspect by matching the event date ranges. Of course if the builds end up not matching other reproducible artifacts then those will be suspect, but if all reproducers have built using the same external event generator then that might be harder to see. :) Thanks, Guillem
