Holger Levsen <hol...@layer-acht.org> writes: > On Thu, Mar 20, 2025 at 10:37:15PM +0100, Simon Josefsson wrote: >> +1 on reproducible tarballs. > > sure, +1, patches welcome! :) \o/
Attached starting point, thoughts? https://salsa.debian.org/debian/devscripts/-/merge_requests/490 The patch needs review/improvement from those more familiar with mk-origtargz and the debian/tests/ framework. My main argument is that solving this is harder than it looks, and I fear that solving the general problem here may actually be infeasible. It can help to realize this, otherwise one may think that solving this is just a matter of adding the right parameters (which is what the patch attempt to do). While we could attempt to continue patch things, how about a bigger question: why do we re-create tarballs? I guess there are many different use-cases, but I believe some of them are symptoms of some bigger problem. The solution in those use-cases isn't to improve reproducability of tarball re-creation, it is to avoid creating our own tarballs. Maybe some use-cases really do require us to re-create tarballs, and maybe in those particular cases designing a solution to the --mtime concern is feasible. For those wanting to understand why solving the --mtime concern is a hard problem, here is a partial helper tool to aid with this: https://lists.gnu.org/archive/html/bug-gnulib/2025-02/msg00166.html I dislike all that complexity though, so for some upstream projects (libtasn1, libidn2, inetutils, ...) I am using a heavy hammer like this: TAR_OPTIONS += --mode=go+u,go-w --mtime=$(abs_top_srcdir)/NEWS mtime-NEWS-to-git-HEAD: $(AM_V_GEN)if test -e $(srcdir)/.git \ && command -v git > /dev/null; then \ touch -m -t "$$(git log -1 --format=%cd --date=format-local:%Y%m%d%H%M.%S)" $(srcdir)/NEWS; \ fi We could do the same in Debian, replacing NEWS with last timestamp of debian/changelog, but it is important to remember that this is an ugly workaround rather than a solution. Solving it like this will lead to other problems. Solving it properly requires going to the root cause of the problem, which is what Bruno is chasing in that e-mail thread. /Simon
From a811a58bb007f7f0fe474e0ff1a105c48fedc238 Mon Sep 17 00:00:00 2001 From: Simon Josefsson <si...@josefsson.org> Date: Fri, 21 Mar 2025 09:40:48 +0100 Subject: [PATCH] MkOrigtargz: Improve tarball reproducibility. The --format=ustar is better than the V7 format and is a conservative choice if we don't want to switch to PAX just yet, see discussion here: https://serverfault.com/questions/250511/which-tar-file-format-should-i-use Using --numeric-owner --owner=0 --group=0 avoids relying on the target system having a /etc/passwd and /etc/group user/group called 'root' and that they both map to uid/gid 0 which is the intent. Sorting filenames with --sort=name improve tarball reproducability. Hard code permissions with --mode=go=rX,u+rw,a-s inspired by Guix. Using --mtime and --clamp-mtime remains and is the complex part. --- lib/Devscripts/MkOrigtargz.pm | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/lib/Devscripts/MkOrigtargz.pm b/lib/Devscripts/MkOrigtargz.pm index b1a691dc..86993afc 100644 --- a/lib/Devscripts/MkOrigtargz.pm +++ b/lib/Devscripts/MkOrigtargz.pm @@ -110,11 +110,19 @@ sub make_orig_targz { # tar it all up spawn( exec => [ - 'tar', '--owner=root', - '--group=root', '--mode=a+rX', - '--create', '--file', - "$destfiletar", '--directory', - $tempdir, @files + 'tar', + '--format=ustar', + '--owner=0', + '--group=0', + '--numeric-owner', + '--sort=name', + '--mode=go=rX,u+rw,a-s', + '--create', + '--file', + "$destfiletar", + '--directory', + $tempdir, + @files ], wait_child => 1 ); -- 2.48.1
signature.asc
Description: PGP signature
