From 4125646784cd620effe3ed3a13a1804c7bcafa4f Mon Sep 17 00:00:00 2001
From: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
Date: Wed, 1 May 2024 15:17:49 +0900
Subject: [PATCH] Support reproducible builds (except packages)

See docker-library/official-images issue 16044

- `ARG SOURCE_DATE_EPOCH` is added.
  The argument value is consumed by the build scripts to make the binary reproducible.

- For Alpine, virtual package versions are pinned to "0" to eliminate
  the timestamp-based version numbers that appear in `/etc/apk/world` and `/lib/apk/db/installed`

> [!NOTE]
> The following topics are NOT covered by this commit:
>
> - To reproduce file timestamps in layers, BuildKit has to be executed with
>   `--output type=<TYPE>,rewrite-timestamp=true`.
>   Needs BuildKit v0.13 or later.
>
> - To reproduce the base image by the hash, reproducers may:
>   - modify the `FROM` instruction in Dockerfile manually
>   - or, use the `CONVERT` action of source policies to replace the base image.
>     <https://github.com/moby/buildkit/blob/v0.13.2/docs/build-repro.md>
>
> - To reproduce packages, see the `RUN` instruction hook proposed in
>   moby/buildkit issue 4576
>
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
---
 3.0/Dockerfile      | 18 ++++++++++++++----
 3.1/Dockerfile      | 18 ++++++++++++++----
 3.2/Dockerfile      | 18 ++++++++++++++----
 4.0/Dockerfile      | 18 ++++++++++++++----
 4.1/Dockerfile      | 18 ++++++++++++++----
 4.2/Dockerfile      | 18 ++++++++++++++----
 4.3/Dockerfile      | 18 ++++++++++++++----
 4.4/Dockerfile      | 18 ++++++++++++++----
 5.0/Dockerfile      | 18 ++++++++++++++----
 5.1/Dockerfile      | 18 ++++++++++++++----
 5.2/Dockerfile      | 18 ++++++++++++++----
 5.3-rc/Dockerfile   | 18 ++++++++++++++----
 Dockerfile.template | 18 ++++++++++++++----
 devel/Dockerfile    | 16 +++++++++++++---
 14 files changed, 195 insertions(+), 55 deletions(-)

diff --git a/3.0/Dockerfile b/3.0/Dockerfile
index 1a1b2ab..1b17b24 100644
--- a/3.0/Dockerfile
+++ b/3.0/Dockerfile
@@ -14,9 +14,12 @@ ENV _BASH_BASELINE_PATCH 16
 ENV _BASH_LATEST_PATCH 22
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -44,7 +47,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -71,18 +74,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -122,7 +132,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/3.1/Dockerfile b/3.1/Dockerfile
index ff63401..3395eb7 100644
--- a/3.1/Dockerfile
+++ b/3.1/Dockerfile
@@ -13,9 +13,12 @@ ENV _BASH_BASELINE 3.1
 ENV _BASH_LATEST_PATCH 23
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -43,7 +46,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -70,18 +73,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -121,7 +131,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/3.2/Dockerfile b/3.2/Dockerfile
index baf48ca..14352e8 100644
--- a/3.2/Dockerfile
+++ b/3.2/Dockerfile
@@ -14,9 +14,12 @@ ENV _BASH_BASELINE_PATCH 57
 ENV _BASH_LATEST_PATCH 57
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -44,7 +47,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -71,18 +74,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -122,7 +132,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/4.0/Dockerfile b/4.0/Dockerfile
index d912ce8..ccf8767 100644
--- a/4.0/Dockerfile
+++ b/4.0/Dockerfile
@@ -13,9 +13,12 @@ ENV _BASH_BASELINE 4.0
 ENV _BASH_LATEST_PATCH 44
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -43,7 +46,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -70,18 +73,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -124,7 +134,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/4.1/Dockerfile b/4.1/Dockerfile
index a46f521..15429fc 100644
--- a/4.1/Dockerfile
+++ b/4.1/Dockerfile
@@ -13,9 +13,12 @@ ENV _BASH_BASELINE 4.1
 ENV _BASH_LATEST_PATCH 17
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -43,7 +46,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -70,18 +73,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -119,7 +129,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/4.2/Dockerfile b/4.2/Dockerfile
index 2372407..233c988 100644
--- a/4.2/Dockerfile
+++ b/4.2/Dockerfile
@@ -14,9 +14,12 @@ ENV _BASH_BASELINE_PATCH 53
 ENV _BASH_LATEST_PATCH 53
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -44,7 +47,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -71,18 +74,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -120,7 +130,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/4.3/Dockerfile b/4.3/Dockerfile
index 29c941e..90813d9 100644
--- a/4.3/Dockerfile
+++ b/4.3/Dockerfile
@@ -14,9 +14,12 @@ ENV _BASH_BASELINE_PATCH 30
 ENV _BASH_LATEST_PATCH 48
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -44,7 +47,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -71,18 +74,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -120,7 +130,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/4.4/Dockerfile b/4.4/Dockerfile
index 4bcd61e..6d77a2b 100644
--- a/4.4/Dockerfile
+++ b/4.4/Dockerfile
@@ -14,9 +14,12 @@ ENV _BASH_BASELINE_PATCH 18
 ENV _BASH_LATEST_PATCH 23
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -44,7 +47,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -71,18 +74,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -120,7 +130,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/5.0/Dockerfile b/5.0/Dockerfile
index 848f99b..1949380 100644
--- a/5.0/Dockerfile
+++ b/5.0/Dockerfile
@@ -13,9 +13,12 @@ ENV _BASH_BASELINE 5.0
 ENV _BASH_LATEST_PATCH 18
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -43,7 +46,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -70,18 +73,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -115,7 +125,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/5.1/Dockerfile b/5.1/Dockerfile
index d15f651..89d2069 100644
--- a/5.1/Dockerfile
+++ b/5.1/Dockerfile
@@ -14,9 +14,12 @@ ENV _BASH_BASELINE_PATCH 16
 ENV _BASH_LATEST_PATCH 16
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -44,7 +47,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -71,18 +74,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -116,7 +126,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/5.2/Dockerfile b/5.2/Dockerfile
index cae7295..1ffa7aa 100644
--- a/5.2/Dockerfile
+++ b/5.2/Dockerfile
@@ -14,9 +14,12 @@ ENV _BASH_BASELINE_PATCH 21
 ENV _BASH_LATEST_PATCH 26
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -44,7 +47,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -71,18 +74,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -116,7 +126,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/5.3-rc/Dockerfile b/5.3-rc/Dockerfile
index 6c199b0..6c95e7e 100644
--- a/5.3-rc/Dockerfile
+++ b/5.3-rc/Dockerfile
@@ -11,9 +11,12 @@ ENV _BASH_VERSION 5.3-alpha
 ENV _BASH_BASELINE 5.3-alpha
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -41,7 +44,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -68,18 +71,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 	cd /usr/src/bash; \
 	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
@@ -113,7 +123,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/Dockerfile.template b/Dockerfile.template
index 05034a3..b4bf090 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -19,9 +19,12 @@ ENV _BASH_LATEST_PATCH {{ .patch.version }}
 {{ ) end -}}
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -52,7 +55,7 @@ RUN set -eux; \
 		done; \
 	fi; \
 	\
-	apk add --no-cache --virtual .gpg-deps gnupg; \
+	apk add --no-cache --virtual .gpg-deps=0 gnupg; \
 	export GNUPGHOME="$(mktemp -d)"; \
 # gpg: key 64EA74AB: public key "Chet Ramey <chet@cwru.edu>" imported
 	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 7C0135FB088AAF6C66C650B9BB5869F064EA74AB; \
@@ -80,18 +83,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 {{ if env.version == "devel" then ( -}}
 	\
 # https://lists.gnu.org/archive/html/bug-bash/2023-05/msg00011.html
@@ -146,7 +156,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \
diff --git a/devel/Dockerfile b/devel/Dockerfile
index 3b4b8c6..cd0a0ef 100644
--- a/devel/Dockerfile
+++ b/devel/Dockerfile
@@ -12,9 +12,12 @@ ENV _BASH_COMMIT f65ed506d4dfecbc2667c34a9cb18175ada95cea
 ENV _BASH_VERSION devel-20240603
 # prefixed with "_" since "$BASH..." have meaning in Bash parlance
 
+# The global SOURCE_DATE_EPOCH is consumed by commands that are not associated with a source artifact
+ARG SOURCE_DATE_EPOCH
+
 RUN set -eux; \
 	\
-	apk add --no-cache --virtual .build-deps \
+	apk add --no-cache --virtual .build-deps=0 \
 		bison \
 		coreutils \
 		dpkg-dev dpkg \
@@ -38,18 +41,25 @@ RUN set -eux; \
 	rm bash.tar.gz; \
 	\
 	if [ -d bash-patches ]; then \
-		apk add --no-cache --virtual .patch-deps patch; \
+		apk add --no-cache --virtual .patch-deps=0 patch; \
 		for p in bash-patches/*; do \
+# --force is set for reproducing timestamps
 			patch \
 				--directory=/usr/src/bash \
 				--input="$(readlink -f "$p")" \
 				--strip=0 \
+				--set-utc \
+				--force \
 			; \
 			rm "$p"; \
 		done; \
 		rmdir bash-patches; \
 		apk del --no-network .patch-deps; \
 	fi; \
+	SOURCE_DATE_EPOCH="$(find /usr/src/bash -type f -exec stat -c '%Y' {} + | sort -nr | head -n1)"; \
+	export SOURCE_DATE_EPOCH; \
+# for logging validation/edification
+	date --date "@$SOURCE_DATE_EPOCH" --rfc-2822; \
 	\
 # https://lists.gnu.org/archive/html/bug-bash/2023-05/msg00011.html
 	{ echo '#include <unistd.h>'; echo; cat /usr/src/bash/lib/sh/strscpy.c; } > /usr/src/bash/lib/sh/strscpy.c.new; \
@@ -87,7 +97,7 @@ RUN set -eux; \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
 	)"; \
-	apk add --no-network --virtual .bash-rundeps $runDeps; \
+	apk add --no-network --virtual .bash-rundeps=0 $runDeps; \
 	apk del --no-network .build-deps; \
 	\
 	[ "$(which bash)" = '/usr/local/bin/bash' ]; \