Reproducible builds: do we need timestamp clamping?

[mwichmann]

Support for environment variable SOURCE_DATE_EPOCH in constructing SCons packages was added a few releases ago (this is written as 4.5 is current). It changes the default behavior of three values written into SCons/__init__.py as the "build" is done - __date__, __developer__ and __buildsys__. If any of those values were supplied to the build (as DATE, DEVELOPER, BUILDSYSTEM build variables) those are used; if not supplied a set SOURCE_DATE_EPOCH causes the latter two to become _reproducible, and for the date, the value of SOURCE_DATE_EPOCH is taken as a UNIX-style timestamp and that is converted. This prevents building again at a different time, on a different machine, or as a different user from producing packages with different contents.

This post is to noodle about whether additional work is needed (at this time there have not been requests, which is why this is a "discussion", not an "issue"). When SCons does a build, it copies files to the build directory, and packages those up with a variety of tools. If this wasn't done in an existing build tree, the documentation will be regenerated. This means essentially all the timestamps of the files used to prepare packages will be set to the time the build is done. https://reproducible-builds.org/specs/source-date-epoch/ mentions this case:

Timestamp clamping

One can reasonably assume that all source timestamps are before SOURCE_DATE_EPOCH and all builds take place after it. This means we can efficiently both preserve source-based timestamps and omit build-specific timestamps, by rewriting timestamps more recent than SOURCE_DATE_EPOCH back to the latter. See for example the --clamp-mtime option to GNU tar.

In our case, we can not assume that source timestamps are before SOURCE_DATE_EPOCH. Rebuilt packages (wheel, sdist, tar and zip bundles) will definitely get different file timestamps. Whether this matters in practice, I'm not sure. Because we don't directly call the tools that produce the archives (e.g. setuptools may do for us), we don't have a ton of control at that level.

[bdbaddog]

How is the timestamp used?
We can't reupload the same named/versioned package to pypi, so not sure if that has any impact on this.

[mwichmann]

If reproducible means we can generate the same results again, then timestamps in built archives would be the difference.

I only made this a discussion because I don't know if that's a problem - the topic was mentioned on the site but not to the level of detail to know whether it "really matters".