Version information
Version information embedded in the software needs to be made deterministic. Counter-examples are using the current date or an incremental build counter.
The date and time of the build itself is hardly of value as an old source code can always be compiled long after it has been released. It’s best when version information gives a good indication of what source code has been built.
The version number can come from a dedicated source file, a changelog, or from a version control system. If a date is needed, it can be extracted from the changelog or the version control system. A cryptographic checksum can also help to pinpoint the exact source content. This makes Git commit ids good candidates as part of version information.
Introduction
Achieve deterministic builds
- SOURCE_DATE_EPOCH
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Value initialization
- Version information
- Timestamps
- Timezones
- Locales
- Archive metadata
- Stable order for outputs
- Randomness
- Build path
- System images
- JVM
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
Distribute the environment
Comparison protocol
Specifications
Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches welcome via our Git repository (instructions) or via our mailing list. • Full contact info
