Skip to content

Comments

Add SOURCE_DATE_EPOCH support for reproducible builds#1537

Open
tonobo wants to merge 1 commit intoaptly-dev:masterfrom
tonobo:reproducible-publish
Open

Add SOURCE_DATE_EPOCH support for reproducible builds#1537
tonobo wants to merge 1 commit intoaptly-dev:masterfrom
tonobo:reproducible-publish

Conversation

@tonobo
Copy link

@tonobo tonobo commented Feb 20, 2026

Description of the Change

Reproducible builds ensure that building the same source input always produces byte-identical output, regardless of when or where the build happens. This is important for security and trust: anyone can independently verify that published binaries actually correspond to their source code, with no tampering or hidden modifications.

When aptly publishes a repository to the filesystem, the Release file includes a Date field set to the current time. This means publishing the same packages twice produces different output, breaking reproducibility. By honoring SOURCE_DATE_EPOCH (a Unix timestamp typically derived from the last source change), the Date and Valid-Until fields become deterministic, making the entire published repository output byte-identical across runs with the same input.
This follows the https://reproducible-builds.org/specs/source-date-epoch/ specification, which is widely adopted across the Debian ecosystem and other projects.

Checklist

  • allow Maintainers to edit PR (rebase, run coverage, help with tests, ...)
  • unit-test added (if change is algorithm)
  • functional test added/updated (if change is functional)
  • man page updated (if applicable)
  • bash completion updated (if applicable)
  • documentation updated
  • author name in AUTHORS

Implement support for the SOURCE_DATE_EPOCH environment variable as
specified by reproducible-builds.org. When set, this variable overrides
the current timestamp in the Release file's Date and Valid-Until fields,
enabling reproducible filesystem publishes.

- Read SOURCE_DATE_EPOCH environment variable in Publish()
- Use the epoch timestamp for both Date and Valid-Until fields
- Gracefully fallback to current time if unset or invalid
- Add comprehensive tests for valid and invalid SOURCE_DATE_EPOCH values
@codecov
Copy link

codecov bot commented Feb 20, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.64%. Comparing base (a65f79e) to head (49f3428).

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #1537      +/-   ##
==========================================
- Coverage   76.96%   76.64%   -0.32%     
==========================================
  Files         160      160              
  Lines       14754    14757       +3     
==========================================
- Hits        11355    11311      -44     
- Misses       2266     2317      +51     
+ Partials     1133     1129       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tonobo
Copy link
Author

tonobo commented Feb 20, 2026

@neolynx Can you please have a look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant