What determines what a package hash will be? Are they deterministic? It seems like things like SDK version affects it which is to be expected but what else?
Will multiple builds against the same source files result in the same package hash?
Do things like OS/line endings, whitespace changes, time of build etc. affect it?
It’s a hash of the package (after compilation to Daml-LF) and all of its dependencies (also compiled to Daml-LF first, if they’re not “data-dependencies”).
The SDK version the code is compiled with is also the version of the Standard Library that it gets compiled against, which is why that changes the hash, just like upgrading any other dependency. Depending on the specifics of the code and the versions of the compiler, it’s also possible that the compiler might be generating different LF, which obviously would also change the hash.
Perhaps less obviously, the hash also includes the package name (the project name set in daml.yaml) and version (also set in daml.yaml).
We work very hard to make sure that, for a given source tree (including dependencies & daml.yaml configuration) and a given compiler version, the package hash is reproducible. That means it does not include any kind of “time-of-compilation-timestamp”, and it does not depend on the OS you compile on (we actually have a test for that).