Tarballs contain mtimes. They will not be reproducible if files have been generated or patched during build time.

Known affected packages

Detection

Example debbindiff output

Work-around

Known yet.

Solutions

--mtime

If indivdiual mtimes don't matter, then use the --mtime option:

     --mtime=DATE-OR-FILE
           set mtime for added files from DATE-OR-FILE

--clamp-mtime

tar/1.28-1 in Debian supports the --clamp-mtime option which will only adjust files with a modification time later than the time specified with --mtime.

SOURCE_DATE := $(shell dpkg-parsechangelog --show-field=Date)

        tar --clamp-mtime --mtime="$(SOURCE_DATE)" -cf archive.tar src

Adjusting mtimes by modifying timestamps in disk

Use find, xargs, and touch to adjust file mtimes before tar is run. Example:

BUILD_DATE := $(shell dpkg-parsechangelog --show-field=Date)
[…]
       find '$(DIR)' -newermt '$(BUILD_DATE)' -print0 | \
               xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
       […] tar […]