[ipxe-devel] reproducible builds, what if

Geert Stappers stappers at stappers.nl
Sun May 3 20:29:02 UTC 2020


On Sun, May 03, 2020 at 12:18:26PM +0900, Christian Nilsson wrote:
> On Sun, 3 May 2020, 07:40 Michael Brown, <mcb30 at ipxe.org> wrote:
> > On 01/05/2020 23:36, Neil Roza wrote:
> >
> > > The `BUILD_TIMESTAMP` assignment has been changed to allow environment
> > > variable overriding, but it defaults to `SOURCE_DATE_EPOCH`. The source
> > > date epoch can also be overridden; it defaults to the Unix timestamp of
> > > the current git HEAD commit.
> >
> > This seems like a reasonable approach, but would need to fail gracefully
> > when built from something that isn't a git checkout.  See the way that
> > VERSIONS is handled for an example.
> >
> What if there is any local non commited changes, or config file changes, or
> embedded script changes. The checksum over linked solves the hash, but is
> it actually correct to use git as a source for BUILD_TIMESTAMP when there
> is local changes?

I see the warning, but I don't see the problem.
In case that doesn't answer the "What if question",
please elaborate what the hidden danger is.


Groeten
Geert Stappers
-- 
Silence is hard to parse



More information about the ipxe-devel mailing list