Regarding timestamps in tarballs, using tar's --mtime option to force timestamps to MOZ_BUILD_DATE (or a derivative thereof) could work.
On 19 July 2016 at 04:11, Kurt Roeckx <k...@roeckx.be> wrote: > On 2016-07-18 20:56, Gregory Szorc wrote: > >> >> Then of course there is build signing, which takes a private key >> and cryptographically signs builds/installers. With these in play, there >> is >> no way for anybody not Mozilla to do a bit-for-bit reproduction of most >> (all?) of the Firefox distributions at >> https://www.mozilla.org/en-US/firefox/all/. >> > > There is at least a section about this here: > https://reproducible-builds.org/docs/embedded-signatures/ > > > Kurt > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
