Helm
Helm package
The helm package command from Helm versions before 4.0.0 cannot produce reproducible archives.
Since Helm version 4.0.0, it is possible to produce reproducible archives, even with the --sign option.
The package archive entries get a constant uid/gid and fixed POSIX permissions.
The file modification time is set to the source files’ modification time, which can vary.
Consider setting a constant file modification time
Set fixed file modification timestamp example
```bash find $PACKAGE_CONTENTS_DIRECTORY -exec touch -d "2000-01-01 00:00:00" {} + ```Introduction
- Which problems do Reproducible Builds Solve?
- Definitions
- History
- Why reproducible builds?
- Making plans
- Academic publications
Achieve deterministic builds
Managing variance
- Variations in the build environment
- SOURCE_DATE_EPOCH
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Stripping of unreproducible information
- Value initialization
- Version information
- Timestamps
- Timezones
- Locales
- Archive metadata
- Stable order for outputs
- Randomness
- Build path
- System images
- JVM
- Helm
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
