[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: RFC: git-commit based mtime-reproducible tarballs

From: Bruno Haible
Subject: Re: RFC: git-commit based mtime-reproducible tarballs
Date: Sun, 15 Jan 2023 14:21:01 +0100

Hi Simon,

> >   This attempts to make
> >   reproducible tarballs by sorting the files and passing the
> >   "--mtime=<date>" option to tar. ...
> Having the same mtime on all files in a tarball

First question: What is the point of doing that?

Reproducibility is about verifying that an artifact A was generated
from a source S.

When I, as a GNU maintainer or uploader, create a tarball and upload it
to ftp.gnu.org, that tarball is the source S. Because that's what I sign
with my GPG key. The commits in the git repo aren't the source, and even
the git checkout on my disk aren't the source — because I am free to
unpack and repack the tarball as I like, before I upload it to ftp.gnu.org.

When someone runs a complex build on possibly untrusted servers in the
cloud, then it makes sense to view the tarball as an artifact A and the
git repository as the source S. (If the git repository is hosted elsewhere.
If the git repository is being hosted on the same untrusted servers,
it is not sufficient.)

As a consequence, please make such modifications dependent on an option
or environment variable (maybe SOURCE_DATE_EPOCH [1]?); don't activate
them for everyone.

> 1) Having the same mtime on all files in a tarball may cause problems

Definitely. HP-UX 'make' attempts to rebuilds a file Y that depends on
a file X, if Y and X have the same timestamp (mtime). It is long known
that you have to have actually different timestamps for some files.


[1] https://reproducible-builds.org/docs/source-date-epoch/

reply via email to

[Prev in Thread] Current Thread [Next in Thread]