make times in iso images reproducible

[JanZerebecki]

by replacing mkisofs with xorriso, which enables reproducible mode when
environment variable SOURCE_DATE_EPOCH is set.

[adrianschroeter]

This means we would pin all file timestamps now to the time of the kiwi file sources, right?

So, in most cases the binary files (rpms) are changing without changing the kiwi file source. So we would get iso files where the timestamp of the rpms is older then their build time.

In practice this wouldn't matter most likely, but what is the point of this at all?

Shouldn't the files which are changing also get new timestamps?

[JanZerebecki]

No, changed files should not get new timestamps if that is only the result of build inputs changing. It is a side effect of how https://reproducible-builds.org/docs/source-date-epoch/ is defined, though that link lacks a discussion of that side effect, which I should add there. One reason is to avoid unnecessarily rebuilding things.

Btw. only a top level source should record the exact hashes of build inputs. In a OS distribution that would be what defines which source packages are part of the distribution.

The point of all this is to have the iso be bit wise reproducible to among others be able to detect security compromises of builds. For that openSUSE/product-builder-plugins#16 is also needed. But there is a signature in the iso that will probably remain the only non-reproducible bits, for which we need a different solution, probably a way to replace them in existing build results.