Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
> > Theoretically you could just ensure that the RPM signature uses the same > > `SOURCE_DATE_EPOCH` timestamp rather than the current time > > I generally assume that the private key used for signing is not available to > the rebuilder. If it _is_ available, the whole signature isn't worth very > much ;) And the rb.o definition requires the rebuild to be completely > independent, i.e. the rebuilder is supposed to reproduce a bit-for-bit > identical output only with access to the sources. So playing with the > signature time wouldn't help to achieve a reproducible build according to the > original definition. > > Also, I don't think that setting a fake time on the signature is something > that should be done. It's feels wrong, and would probably cause many > different issues. For example, the key might have some initial validity, so > probably we wouldn't even be able to sign packages with sufficiently old > `$SOURCE_DATE_EPOCH`. Expanding on the discussion of signatures here. While most distributions currently sign their packages with RSA keys using RSASSA-PKCS1v1.5, which is deterministic, both RSASSA-PSS signatures and ECDSA signatures involve randomness, and can thus never be reproduced even with access to the private key. As a consequence, attempting to reproduce the signature by fixing a timestamp does not actually solve the reproducibility problem. The correct way to deal with signatures is either to ignore them, or to transplant them. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1998211462 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
Cool, thanks. We'll give this a go in Fedora as soon as it becomes available by doing some rebuilds of official koji builds. I hope it works as expected, and if not, we can always adjust. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1976390511 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
As for the other backends, I don't bother. If somebody files a PR/ticket on those, then we'll at least know somebody is actually using them. And if not... Oh and thanks for the patch! -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1975908070 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
Merged #2930 into master. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#event-11994504993 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
Okay... my dislike of how reprodu*cible* (see, the old dog learned a trick :laughing: ) builds are configured in rpm is really out of scope for this PR. It's not like I disagree with what this does. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1975904107 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
@Conan-Kudo approved this pull request. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#pullrequestreview-1911698628 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
Sounds good to me. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1973616134 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
> Oh, wouldn't we need these fixups for all the VCS backends, not just Git? Theoretically, yes. In practice, nobody cares. I have never seen any of the other macros used. Once we have a version that is acceptable, I'd be happy to submit a follow-up that extends the same logic to other systems, if they support it. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1973553115 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
Oh, wouldn't we need these fixups for all the VCS backends, not just Git? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1973534254 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
> @DemiMarie suggested a while back that if the non-signature aspects of the > package are reproducible, then you can combine the signature of the original > package with rebuilt package, and _that_ should be able to reproduce the > package. Yes, in principle you could. But it still wouldn't satisfy the definition on reproducible-builds.o because they require an **independent** rebuild to produce the same output. To transplant the signature, you'd need access to the "build outputs" from the first rebuild. Also, meh, we would get "bit-for-bit identical output", but at a very heavy price: we need access to the original build artifacts **and** we need some complicated tool to transplant signatures. Compared to this, the current state where we can do with access to the orginal build metadata (i.e. buildroot contents listings, not the output rpms) and use existing fairly simple tools to ignore parts of rpms seems like a better tradeoff. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1973320489 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
Ah, you're right that if the builder and rebuilder aren't the same person (which, really, is the primary use case of reproducible builds) then you won't be able to reproduce the package. @DemiMarie suggested a while back that if the non-signature aspects of the package are reproducible, then you can combine the signature of the original package with the signature of the rebuilt package, and *that* should be able to verify correctly as if it was completely reproduced. https://github.com/rpm-rs/rpm/issues/156#issuecomment-1575994196 -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1973291699 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
> > A signed rpm build can never be "reproducible" according to their current > > definition. > > Theoretically you could just ensure that the RPM signature uses the same > `SOURCE_DATE_EPOCH` timestamp rather than the current time I generally assume that the private key used for signing is not available to the rebuilder. If it *is* available, the whole signature isn't worth very much ;) And the rb.o definition requires the rebuild to be completely independent, i.e. the rebuilder is supposed to reproduce a bit-for-bit identical output only with access to the sources. So playing with the signature time wouldn't help to achieve a reproducible build according to the original definition. Also, I don't think that setting a fake time on the signature is something that should be done. It's feels wrong, and would probably cause many different issues. For example, the key might have some initial validity, so probably we wouldn't even be able to sign packages with sufficiently old `$SOURCE_DATE_EPOCH`. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1972920932 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
>A signed rpm build can never be "reproducible" according to their current >definition. Theoretically you could just ensure that the RPM signature uses the same `SOURCE_DATE_EPOCH` timestamp rather than the current time - it's a bit icky, but it works. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1972502494 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
That spec was written by Debian maintainers and it's heavily slanted towards some Debian concepts and needs some adaptation to the rpm world. In particular, their definitions are incompatible with embedded signatures. A signed rpm build can never be "reproducible" according to their current definition. The issue has been reported and discussed, but this somehow doesn't "stick". So I don't think it's useful to take their definitions literally. The variant that is proposed here is functional and allows package builds to be reproducible (*). As discussed in https://github.com/rpm-software-management/rpm/issues/2894, Fedora (and RH) opted to **not** set RPM_BUILD_TIME based on the SOURCE_DATE_EPOCH. Thus, if we would insist on only looking at RPM_BUILD_TIME here, making builds reproducible would require also agreeing on changing how RPM_BUILD_TIME is defined and used. I don't want to do this, I don't think it's a good idea, I don't think it's useful for anything, and I certainly don't want to block this patch on that change. (*) "Reproducible" for an amended definition that makes sense for RPMs, but is different than the one on reproducible-builds.org. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1968780054 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
> SOURCE_DATE_EPOCH is exactly the field that should be used here. That > variable says when the sources were last modified, so if we do a fake commit > when unpacking the sources, this is the timestamp to use. I totally agree that's the timestamp to use, it's just the means of getting the value I mildly disagree with. I looked at https://reproducible-builds.org/specs/source-date-epoch/ a bit now, for the first time ever. Among other things, there's > Build processes MUST use this variable for embedded timestamps in place of > the "current" date and time. So if rpm is supposed to honor this spec, package buildtime MUST be set from SOURCE_DATE_EPOCH if its set. And from there, we get to the point that you can just use RPM_BUILD_TIME for any timestamps, you don't need to differentiate between the two. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1968421934 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
I wrote a longer reply in https://github.com/rpm-software-management/rpm/issues/2894… But even ignoring the discussion there, I think SOURCE_DATE_EPOCH is **exactly** the field that should be used here. That variable says when the sources were last modified, so if we do a fake commit when unpacking the sources, this is the timestamp to use. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1967741345 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
Locking down the stored build time in the rpm headers to `SOURCE_DATE_EPOCH` can have other undesirable side-effects, so generally I wouldn't want that to be a thing for Fedora or any distribution, really. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1967579370 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
> Buildtime cannot be overriden? Buildtime would be SOURCE_DATE_EPOCH for reproducable builds, no? See the discussion in https://github.com/rpm-software-management/rpm/issues/2894 - its converging towards the notion that you select the source where buildtime is set, and then everything else uses that as the universal truth. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1966565548 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
I changed the patch to use $RPM_BUILD_TIME as fallback, as suggested by Neal. But I think $SOURCE_DATE_EPOCH must remain the primary source for this. When it is set, then we set various mtimes and other stuff to it, and it would be very strange to use something different for the repo commits. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1966542078 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
@keszybz pushed 1 commit. 1fac2eab0fd823817b52b53891f27d6cf2aacf43 Set git commit dates based on $SOURCE_DATE_EPOCH or $RPM_BUILD_TIME -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930/files/0caffe0df7e5d3ab1d510eeb226381dc831fe0ec..1fac2eab0fd823817b52b53891f27d6cf2aacf43 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
> I'd rather use rpm's buildtime here buildtime is not clamped? We had a discussion about this in https://github.com/rpm-software-management/rpm/issues/2603 and it was explicitly rejected. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1966507854 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
If we're not clamping the build-time but want the commits to be clamped (which is Fedora's configuration), then this is the way we need to do it. I do think that if SOURCE_DATE_EPOCH isn't set, we should clamp to RPM_BUILD_TIME though. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1966414614 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
Just pushed a PR to make the buildtime available to scriptlets: #2933 -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1966395641 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
I'd rather use rpm's buildtime here, which for reproducable builds would be set from SOURCE_DATE_EPOCH. All packages have a buildtime so you don't need to conditionalize it. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1966336509 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Set git commit dates based on $SOURCE_DATE_EPOCH (PR #2930)
Another case which becomes reproducible with this patch: podman, and presumably any go package. Go builds include `vcs.revision=…` `vcs.time=…` somewhere in binary file metadata and with this patch (plus a few others to remove intentional randomness), `podman-5.0.0~rc3-3.fc41.x86_64.rpm` rebuilds nicely. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2930#issuecomment-1965966419 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint