Regarding timestamps in tarballs, using tar's --mtime option to force timestamps to MOZ_BUILD_DATE (or a derivative thereof) could work.
On 19 July 2016 at 04:11, Kurt Roeckx <[email protected]> wrote: > On 2016-07-18 20:56, Gregory Szorc wrote: > >> >> Then of course there is build signing, which takes a private key >> and cryptographically signs builds/installers. With these in play, there >> is >> no way for anybody not Mozilla to do a bit-for-bit reproduction of most >> (all?) of the Firefox distributions at >> https://www.mozilla.org/en-US/firefox/all/. >> > > There is at least a section about this here: > https://reproducible-builds.org/docs/embedded-signatures/ > > > Kurt > > > _______________________________________________ > dev-platform mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list [email protected] https://lists.mozilla.org/listinfo/dev-platform
