[ipxe-devel] reproducible builds, what if
Geert Stappers
stappers at stappers.nl
Sun May 3 20:29:02 UTC 2020
On Sun, May 03, 2020 at 12:18:26PM +0900, Christian Nilsson wrote:
> On Sun, 3 May 2020, 07:40 Michael Brown, <mcb30 at ipxe.org> wrote:
> > On 01/05/2020 23:36, Neil Roza wrote:
> >
> > > The `BUILD_TIMESTAMP` assignment has been changed to allow environment
> > > variable overriding, but it defaults to `SOURCE_DATE_EPOCH`. The source
> > > date epoch can also be overridden; it defaults to the Unix timestamp of
> > > the current git HEAD commit.
> >
> > This seems like a reasonable approach, but would need to fail gracefully
> > when built from something that isn't a git checkout. See the way that
> > VERSIONS is handled for an example.
> >
> What if there is any local non commited changes, or config file changes, or
> embedded script changes. The checksum over linked solves the hash, but is
> it actually correct to use git as a source for BUILD_TIMESTAMP when there
> is local changes?
I see the warning, but I don't see the problem.
In case that doesn't answer the "What if question",
please elaborate what the hidden danger is.
Groeten
Geert Stappers
--
Silence is hard to parse
More information about the ipxe-devel
mailing list