[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Help-tar] --deterministic option?
From: |
Jérémy Bobbio |
Subject: |
[Help-tar] --deterministic option? |
Date: |
Wed, 27 May 2015 12:44:15 +0200 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
Hi!
We are working in Debian— and I know other free software projects
care— in providing our users with a way to reproduce bit-for-bit
identical binary packages from the source and build enviroment.
See <https://wiki.debian.org/ReproducibleBuilds/About> for some
rationale and further explainations.
In order to do this, we need to make our build processes as
deterministic as possible. As you can imagine, Tar is quite involved in
producing Debian packages. A straightforward call leads to multiple
issues:
* Order of files in the archive will depend on the filesystem order.
* User and group names are recorded. This can be seen as a privacy leak
for the package builder.
* Permissions are dependent on the builder umask.
* Last modification times of members of files created during the build
will be dependent on the build time.
* Also, if gzip compression is used, a timestamp will be recorded in
gzip header.
So, we are currently turning calls like:
tar -zcf archive.tar.gz src
into:
find src -print0 | LC_ALL=C sort -z |
GZIP=-9n tar --null -T - --no-recursion \
--owner=root --group=root --numeric-owner \
--mode=go=rX,u+rw,a-s \
--mtime=debian/changelog \
-zcf archive.tar
It would be great to avoid at least some of the boilerplate. Finding a
generic solution for permissions and modification times might be too
much, but having a `--deterministic` flag for the rest of the issues
would be quite helpful already.
What do you think?
--
Lunar .''`.
address@hidden : :Ⓐ : # apt-get install anarchism
`. `'`
`-
signature.asc
Description: Digital signature
- [Help-tar] --deterministic option?,
Jérémy Bobbio <=