Hi,
I impatiently added the SOURCE_DATE_EPOCH to the version of make-live that we use to build PureOS images. It seems to have made a difference though not completely eliminated our blockers to reproducibility; http://45.33.86.90/pureos-8.0-images.html
While the byte-for-byte difference now is much smaller, and the date is consistent across builds in the ISO at least, other parts of the build are getting the date from the file system I believe.
For example, under the section casper/filesystem.squashfs[0.] unsqaushfs -s {} says;
2 Creation·or·last·append·time·Fri·Jul·12·07:12:11·2019 2 Creation·or·last·append·time·Fri·Jul·12·05:11:57·2019
The leads me to believe that I need to ensure that SOURCE_DATE_EPOCH is being seen when the squashfs file system is written using Lamby's debug method of printing "echo SDE=$SOURCE_DATE_EPOCH" in various places to determine if it's being seen in each build context.
After that I think the next step, or even a step to take anyway, is to run strip-nondeterminism over the resulting ISOs[1.]
0. http://45.33.86.90/pureos-8.0-images.html#casper-filesystem.squashfs 1. https://packages.debian.org/sid/strip-nondeterminism
Feedback, corrections most welcome.
Regards,
Jeremiah