Keep caller-provided SOURCE_DATE_EPOCH authoritative and derive the automatic default through a shared helper used by the Makefile, direct CMake/CPack packaging, and the deb packaging wrapper.
When repository metadata is available, use the HEAD commit timestamp without relying on git -C. Resolve the source root before probing Git so symlinked source paths still use the checkout HEAD. For source tarballs without .git, derive the fallback timestamp from the release date encoded in Common/Tcdefs.h instead of the stale 2020-01-01 constant.
Add TC_RELEASE_DATE_DAY and validate it together with TC_RELEASE_DATE_YEAR, TC_RELEASE_DATE_MONTH, and TC_STR_RELEASE_DATE. Abort when no valid timestamp can be derived.
For direct CMake invocation, initialize SOURCEPATH when the wrapper has not provided it, use the shared helper for derivation, validate the result, and export it for package targets. Also persist the configured epoch through CPACK_PROJECT_CONFIG_FILE so later standalone cpack --config runs export the same value before invoking package generators.
Document that automatic git-checkout builds and release-tarball builds intentionally use different epochs; release reproducers should build from the tarball or set SOURCE_DATE_EPOCH explicitly.
* ensure reproducible builds
* improve patch
* improve patch
* Narrow reproducibility scope to legacy and DEB
Keep the verified Linux legacy Makefile and DEB reproducibility paths, but remove the unverified RPM/openSUSE timestamp changes and AppImage reproducibility behavior from this PR.
The CPack mtime/mode clamp is now installed only for Debian/Ubuntu packaging, matching the scope covered by the provided reproducibility logs.
Retain umask 022 in the RPM/openSUSE wrappers so staged package permissions do not depend on a restrictive caller umask.
* Harden reproducible build cleanup
Validate SOURCE_DATE_EPOCH before interpolating it into Make, CMake or shell packaging paths.
Refuse live DESTDIR values in the CPack mtime clamp and pass makeself options through normal argv construction instead of eval.
---------
Co-authored-by: curious-rabbit <curious-rabbit@local>
Co-authored-by: Mounir IDRASSI <mounir.idrassi@amcrypto.jp>
Mounir IDRASSI
curious-rabbit
Mounir IDRASSI