GNU bug report logs - #56893
rust-vergen inserts build timestamps, possible irreproducibility source

Previous Next

Package: guix;

Reported by: Maxime Devos <maximedevos <at> telenet.be>

Date: Tue, 2 Aug 2022 16:59:01 UTC

Severity: normal

Full log

View this message in rfc822 format

From: Maxime Devos <maximedevos <at> telenet.be>
To: 56893 <at> debbugs.gnu.org
Subject: bug#56893: rust-vergen inserts build timestamps, possible irreproducibility source
Date: Tue, 2 Aug 2022 18:57:54 +0200

[Message part 1 (text/plain, inline)]
While fixing build failures in antioxidant, I noticed that rust-vergen 
is a potential source of irreproducibility -- the README.md contains the 
following:

> ## Documentation
> [Documentation](https://docs.rs/vergen)
>
> ## Generate Compile Time Information
> `vergen`, when used in conjunction with cargo [build scripts], will
> generate environment variables to use with the `env!` macro. Below
> is a list of the supported variables.
>
> Key                       | Sample Value
> --------------------------|----------------------------------------
> VERGEN_BUILD_TIMESTAMP    |2018-08-09T15:15:57.282334589+00:000
> VERGEN_BUILD_DATE         |2018-08-09
> VERGEN_SHA |75b390dc6c05a6a4aa2791cc7b3934591803bc22
> VERGEN_SHA_SHORT          |75b390d
> VERGEN_COMMIT_DATE        |2018-08-08
> VERGEN_TARGET_TRIPLE      |x86_64-unknown-linux-gnu
> VERGEN_SEMVER             |v3.0.0
> VERGEN_SEMVER_LIGHTWEIGHT |v3.0.0
I'll try patching out the timestamps with 1970-...

Greetings,
Maxime.



[OpenPGP_0x49E3EE22191725EE.asc (application/pgp-keys, attachment)]
[OpenPGP_signature (application/pgp-signature, attachment)]
This bug report was last modified 2 years and 321 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.