Determinism on installed packages
Determinism on installed packages
Posted Apr 3, 2025 14:24 UTC (Thu) by jcpunk (subscriber, #95796)Parent article: Fedora change aims for 99% package reproducibility
Initially, you'd think this is automatic given the binary consistency. However, if your package contains any symlinks, the mtime on the symlink is set to the timestamp when the archive is unpacked, whereas the binaries have the mtime of their compilation.
So, even if the binaries in the package are reproducible, the files produced by the package have differences on your filesystem.
This is primarily of interest to me for container workflows, if the links in /usr/bin had an mtime of what they linked to, then /usr/bin/ would be deterministic and potentially the layers would be easily duplicated.
Posted Apr 11, 2025 23:18 UTC (Fri)
by zuki (subscriber, #41808)
[Link]
This does not seem to match what I see on Fedora. Maybe rpm gets this right?
$ ls -l /usr/bin/udevadm /usr/lib/systemd/systemd-udevd
As you can see, the package was built Mar 7, and this means the timestamp of 00:00:00 UTC, which is 01:00:00 CET, which is my timezone. Fedora sets SOURCE_DATE_EPOCH from that changelog timestamp, and the mtimes of files in the package are clamped to that.
Determinism on installed packages
-rwxr-xr-x 1 root root 644040 Mar 7 01:00 /usr/bin/udevadm
lrwxrwxrwx 1 root root 17 Mar 7 01:00 /usr/lib/systemd/systemd-udevd -> ../../bin/udevadm
$ rpm -q --changelog systemd|head -n1
* Fri Mar 07 2025 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 257.4-3