The following specfile will build non-reproducibly on RHEL 9:

Name:    python3-foo
Version: 1.0
Release: 1
Summary: foo
License: Foo License

BuildRequires: python3-devel

%description
foo

%prep

%build

%install
for i in $(seq 1 100); do
    touch ${RPM_BUILD_ROOT}/foo$i
done

%files
/foo*

%changelog
* Mon Jun 02 2025 Chris Riches <chris.riches@nutanix.com>
- dummy entry for SOURCE_DATE_EPOCH

The culprit is an interaction between RPM and python3-rpm-generators. The latter applies the following dynamic dependencies to the first file it sees from the package:

Provides:  python-foo    = 1.0-1
Provides:  python3.9-foo = 1.0-1
Obsoletes: python39-foo  < 1.0-1

However, RPM passes the package files into this generator in a non-deterministic order, meaning that a different file gets the dependency each time. This causes the overall build to be non-reproducible due to differences in the Filedependsx, Filedependsn, and Dependsdict parts of the RPM metadata.

I have a proposed RPM patch to fix this: https://github.com/rpm-software-management/rpm/pull/3786