bootupctl backend generate-update-metadata writes a timestamp field in usr/lib/bootupd/updates/EFI.json using std::time::SystemTime::now() (src/efi.rs:604). This was introduced as a workaround for #933.
This is the sole source of non-reproducibility in our container image builds. When rebuilding the same image from the same inputs, the only difference between the two images is this timestamp:
- "timestamp": "2026-03-25T10:37:38.173666102Z",
+ "timestamp": "2026-03-25T11:05:02.924829010Z",
When SOURCE_DATE_EPOCH is set, generate-update-metadata should use it for the EFI timestamp instead of wall-clock time. This is the standard (https://reproducible-builds.org/specs/source-date-epoch/) mechanism for reproducible builds and is already used by tools like podman build --source-date-epoch.
When SOURCE_DATE_EPOCH is not set, behaviour should remain unchanged (use SystemTime::now()).
The BIOS component (src/bios.rs) derives its timestamp from RPM build times via packagesystem::query_files(), so it is already deterministic and does not need this change.
bootupctl backend generate-update-metadata writes a timestamp field in usr/lib/bootupd/updates/EFI.json using
std::time::SystemTime::now()(src/efi.rs:604). This was introduced as a workaround for #933.This is the sole source of non-reproducibility in our container image builds. When rebuilding the same image from the same inputs, the only difference between the two images is this timestamp:
When SOURCE_DATE_EPOCH is set, generate-update-metadata should use it for the EFI timestamp instead of wall-clock time. This is the standard (https://reproducible-builds.org/specs/source-date-epoch/) mechanism for reproducible builds and is already used by tools like podman build --source-date-epoch.
When SOURCE_DATE_EPOCH is not set, behaviour should remain unchanged (use
SystemTime::now()).The BIOS component (src/bios.rs) derives its timestamp from RPM build times via
packagesystem::query_files(), so it is already deterministic and does not need this change.