From 1980932bf3a21890a9571effaa23fbe034fd388d Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Feb 29 2024 23:12:15 +0000 Subject: Use $SOURCE_DATE_EPOCH instead of random bytes Using random bytes makes the builds obviously irreproducible. Use instead $SOURCE_DATE_EPOCH as the source of the identifier, so that rebuilds of the same sources are the same. $SOURCE_DATE_EPOCH is augmented with %{name}-%{version}-%{release} and hashed with sha1sum to get a number that is 40 hexadecimal bytes (same as the one generated from the random bytes before). Any hash function would do, we only need something that has good hashing properties, there is no security component here since the input is public. Tested on podman-5.0.0~rc3-3.fc41.x86_64.rpm. Together with https://github.com/rpm-software-management/rpm/pull/2930 and https://src.fedoraproject.org/rpms/podman/pull-request/131, the build becomes reproducible. --- diff --git a/rpm/macros.d/macros.go-compilers-golang b/rpm/macros.d/macros.go-compilers-golang index bb783f9..f3084d4 100644 --- a/rpm/macros.d/macros.go-compilers-golang +++ b/rpm/macros.d/macros.go-compilers-golang @@ -44,7 +44,7 @@ EOF\ # $LDFLAGS is supported as a deprecated alias to $GO_LDFLAGS to add additional # arguments to `go build -ldflags "..."`. # Please set $GO_LDFLAGS instead of $LDFLAGS. -%gobuild_ldflags ${GO_LDFLAGS-${LDFLAGS-}} %{?currentgoldflags} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -compressdwarf=false -linkmode=external -extldflags '%{build_ldflags} %{?__golang_extldflags}' +%gobuild_ldflags ${GO_LDFLAGS-${LDFLAGS-}} %{?currentgoldflags} -B 0x$(echo "%{name}-%{version}-%{release}-${SOURCE_DATE_EPOCH:-}" | sha1sum | cut -d ' ' -f1) -compressdwarf=false -linkmode=external -extldflags '%{build_ldflags} %{?__golang_extldflags}' # A shell-escaped version of %gobuild_ldflags. # Can be used to set an environment or make variable. # Example from the aerc package: