Re: [PATCH 1/4] Add new "version" command

From: Thomas Schmitt
Subject: Re: [PATCH 1/4] Add new "version" command
Date: Thu, 29 Mar 2018 10:37:57 +0200


Hans de Goede wrote:
> > +  grub_printf ("%s, build %s %s\n", PACKAGE_STRING, __DATE__, __TIME__);

Olaf Hering wrote:
> Debian sells something what they call "reproducible build".

It's not actually a Debian thing, although some Debian Developers seem to
have initiated it and urge people to make binary production deterministic
and reproducible.

> Check their website why usage of __DATE__ and __TIME__ is a bad thing.

They offer a solution for the problem of timestamps by the definition
of an environment variable SOURCE_DATE_EPOCH, which shall override the
current time.

In the libraries underneath xorriso i based all timestamps and pseudo-random
data fields on this user-set timestamp, if it is present.
So if you set the variable SOURCE_DATE_EPOCH to the same value before runs
of grub-mkrescue, and if all GRUB tools underneath grub-mkrescue build
reproducible binaries and xorriso options, and if the other input files
are still the same (*), then the resulting ISO images of two runs will be
identical. (Needs xorriso-1.4.6 or younger.)

(*) Some attributes of input files do not matter in this case.
    A good tar copy of the input tree should be sufficiently similar.

Have a nice day :)


