embedding of username and hostname in libvlccore.so.* causes reproducibility issues

I have been investigating Reproducible Builds issues in various Debian packages, and recently explored what it would take to make VLC build bit-for-bit reproducibly. https://reproducible-builds.org

One of the issues I found was that the hostname and username of the build environment are embedded in the build results. I confirm this is still present in git master as of commit d98f1346.

This is set in configure.ac as VLC_COMPILE_BY and VLC_COMPILE_HOST, and ends up in the libvlccore.so.* library, possibly by way of src/version.c or src/libvlccore.sym as VLC_CompileBy and VLC_CompileHost.

I am wondering what exactly is the goal or purpose of embedding the username and hostname of the build environment into the binaries and if that could be accomplished some other way that would allow builds to be reproducible even when built by a different user on a machine with a different hostname.

I reported this issue in Debian with a patch to set these to an empty values:

https://bugs.debian.org/990246

The maintainer suggested that these values were needed by upstream when reporting issues. I would guess in many cases the username or hostname may not clearly indicate where VLC was built.

Debian and many other projects have detailed build logs (e.g. https://buildd.debian.org/vlc) that are publicly available and derivable from the package name and version.

Would it be reasonable in these cases to have a flag to disable the embedding of these values, or embed some other potentially more unambiguous value to track the origin of the build environment? Or possibly detect some values at run-time rather than build-time? Or, to make a modest proposal, to remove embedding username and hostname information entirely?

Thanks for your consideration.

FWIW, I have personally used VLC for many years; thanks for maintaining a great project!

live well, vagrant