It really depends. If I’m building a Java project, I’m pretty sure I’ve got a deterministic build just by running javac pointed at a source directory. If I want a reproducible build, I probably need to do a lot more:

- ensure timestamps of all files embedded in jar files is consistent

- ensure there is no BuildTime/BuildHost/BuildNumber variable of any kind being captured

- ensure the exact version of compiler is documented

- ensure exact versions of all dependencies in classpath is captured

There's an interesting pattern I've found in this: Don't ensure that there's no BuildTime/BuildHost/BuildNumber embedded. Ensure that all variables that are part of the build are captured and embedded. That is - It's okay for your build to include the Build Time, but that's an assertion at build time. Include it as a build output. Binaries should include all of the mutable environment used to build them as an embed. As in, their --version output should include them.

    # bazel version
    Build label: 2.0.0
    Build target: bazel-out/darwin- opt/bin/src/main/java/com/google/devtools/build/lib/bazel/BazelServer_deploy.jar
    Build time: Thu Dec 19 12:33:30 2019 (1576758810)
    Build timestamp: 1576758810
    Build timestamp as int: 1576758810

Like the GP says, I can't imagine that would take more than a few days, even for a very large project with many dependencies.

What is the difference?

Deterministic build means every time you compile the same source you get the same executable. Reproducible build means that you specify and relay enough information to allow everyone else to reproduce your results for themselves in their own environment.

Haha thanks.

So one has hidden variables that happen to be locally constant, and the other is purged of hidden variables.