Ensure reproducible builds on Linux (#1731)

* ensure reproducible builds

* improve patch

* improve patch

* Narrow reproducibility scope to legacy and DEB

Keep the verified Linux legacy Makefile and DEB reproducibility paths, but remove the unverified RPM/openSUSE timestamp changes and AppImage reproducibility behavior from this PR.

The CPack mtime/mode clamp is now installed only for Debian/Ubuntu packaging, matching the scope covered by the provided reproducibility logs.

Retain umask 022 in the RPM/openSUSE wrappers so staged package permissions do not depend on a restrictive caller umask.

* Harden reproducible build cleanup

Validate SOURCE_DATE_EPOCH before interpolating it into Make, CMake or shell packaging paths.

Refuse live DESTDIR values in the CPack mtime clamp and pass makeself options through normal argv construction instead of eval.

---------

Co-authored-by: curious-rabbit <curious-rabbit@local>
Co-authored-by: Mounir IDRASSI <mounir.idrassi@amcrypto.jp>

src/Build/CMakeLists.txt

@@ -27,6 +27,34 @@ else()
 endif()
 project(${PROJECT_NAME})
 
+# SOURCE_DATE_EPOCH for the cpack-driven DEB pipeline.
+# Precedence: -DSOURCE_DATE_EPOCH=N, env, git HEAD, fixed fallback.
+# Re-exported to ENV so dpkg-deb/tar inherit it.
+if(NOT DEFINED SOURCE_DATE_EPOCH)
+    if(DEFINED ENV{SOURCE_DATE_EPOCH})
+        set(SOURCE_DATE_EPOCH "$ENV{SOURCE_DATE_EPOCH}")
+    else()
+        execute_process(
+            COMMAND git -C "$ENV{SOURCEPATH}" log -1 --pretty=%ct
+            OUTPUT_VARIABLE _git_ct
+            OUTPUT_STRIP_TRAILING_WHITESPACE
+            ERROR_QUIET
+            RESULT_VARIABLE _git_rc)
+        if(_git_rc EQUAL 0 AND _git_ct)
+            set(SOURCE_DATE_EPOCH "${_git_ct}")
+        else()
+            set(SOURCE_DATE_EPOCH "1577836800")
+        endif()
+    endif()
+endif()
+if(NOT SOURCE_DATE_EPOCH MATCHES "^[0-9]+$")
+    MESSAGE(FATAL_ERROR "SOURCE_DATE_EPOCH must be a non-negative Unix timestamp")
+endif()
+message(STATUS "SOURCE_DATE_EPOCH = ${SOURCE_DATE_EPOCH}")
+set(ENV{SOURCE_DATE_EPOCH} "${SOURCE_DATE_EPOCH}")
+# Avoid nondeterministic ordering from cpack 3.18+ parallel compression.
+set(CPACK_THREADS 1)
+
 # - Check whether 'Tcdefs.h' and 'License.txt' exist
 if(NOT EXISTS "$ENV{SOURCEPATH}/Common/Tcdefs.h")
 	MESSAGE(FATAL_ERROR "Tcdefs.h does not exist.")
@@ -254,6 +282,19 @@ if ( ( PLATFORM STREQUAL "Debian" ) OR ( PLATFORM STREQUAL "Ubuntu" ) )
 	set( DEBIAN_PRERM 	${CMAKE_CURRENT_BINARY_DIR}/Packaging/debian-control/prerm)
 	
 	set( CPACK_GENERATOR 					"DEB" )																				# mandatory
+
+	# Reproducible DEB: clamp the just-installed staging tree's mtimes
+	# and modes so the payload is independent of wall-clock time and
+	# the build umask. Placed AFTER install(DIRECTORY) so it runs against a
+	# populated tree (install rules execute in declaration order). The script
+	# acts only on a real package staging root and refuses a live prefix;
+	# see the script header for the staging-root detection rules.
+	configure_file(
+		"${CMAKE_CURRENT_SOURCE_DIR}/Tools/cmake_repro_clamp_mtimes.cmake.in"
+		"${CMAKE_CURRENT_BINARY_DIR}/cmake_repro_clamp_mtimes.cmake"
+		@ONLY)
+	install(SCRIPT "${CMAKE_CURRENT_BINARY_DIR}/cmake_repro_clamp_mtimes.cmake")
+
 	set( CPACK_DEBIAN_PACKAGE_NAME 			${CPACK_PACKAGE_NAME}  )															# mandatory
 	set( CPACK_DEBIAN_FILE_NAME 			${CPACK_PACKAGE_FILE_NAME}.deb )													# mandatory
 	# -- Use a distro-specific version string to avoid repository conflicts --
@@ -357,6 +398,7 @@ elseif ( ( PLATFORM STREQUAL "CentOS" ) OR ( PLATFORM STREQUAL "openSUSE" ) OR (
 	set( CPACK_RPM_PACKAGE_GROUP 		"Applications/System" )																	# mandatory, https://fedoraproject.org/wiki/RPMGroups
 	set( CPACK_RPM_PACKAGE_VENDOR 		${CPACK_PACKAGE_VENDOR} )																# mandatory
 	set( CPACK_RPM_PACKAGE_AUTOREQ 		"no" ) 																					# disable automatic shared libraries dependency detection (most of the time buggy)
+
 	if (VC_WITH_FUSE3)
 		set(VC_RPM_FUSE_PACKAGE "fuse3")
 	else ()