On Mon, Nov 21, 2016, at 09:18, Chris Lamb wrote: > Whilst working on the Reproducible Builds effort [0] on behalf of the > Tails operating system [1], I noticed that amd64-microcode generates > a prepended initramfs image that is not reproducible.
So far so good, but... > Patch attached. It depends on SOURCE_DATE_EPOCH. Is that going to be appropriately set in every relevant situation? Because the early initramfs is going to be (re?)generated at package *install* / upgrade time. So, it is not only at package build time... Also, if the admin calls "update-initramfs", it will re-create the early initramfs, and SOURCE_DATE_EPOCH is not going to be appropriately set at that time. For the intel-microcode package, I changed iucode-tool (v2.1 and later) to set the dates to the latest microcode included in the image, which makes it always reproducible as long as the same set of microcode is used. Unfortunately, this is not so trivial to do for amd64-microcode, because we don't parse the microcode. Maybe it it would be better to hard-code the value of SOURCE_DATE_EPOCH at package build time into the hook script? It would then *always* use that date to create any early initramfs... -- Henrique de Moraes Holschuh <h...@debian.org>
