[pkg-go] Minutes for the DebConf17 BoF
Martín Ferrari
tincho at tincho.org
Thu Nov 9 00:27:27 UTC 2017
On 08/11/17 21:01, Martín Ferrari wrote:
> The best test would be to use gbp to create the tarballs under different
> conditions (machine, user name, path, manually touch()ing files locally)
> and see if they are really reproducible.
For one data point, I just tried this on two different machines (same
arch, though), on different paths, one a fresh clone, other my usual
work dir, and after some random touch() of files, I get always the same tar.
$ gbp buildpackage --git-force-create --git-no-pristine-tar
--git-compression=gzip --git-compression-level=9
$ sha256sum ../build-area/prometheus_1.8.1+ds.orig.tar.gz
726f7c392f99b48b63a85bc8f873fbdecbf6fabbb167a2dd7be312bdcf56d60c
../build-area/prometheus_1.8.1+ds.orig.tar.gz
Which, notably, does not match what's on the archive. It seems I had
different default values for the compression level on different
machines, so I had to pass the parameters explicitly.
If I use compression level 6, I get that exact SHA:
$ sha256sum ../build-area/prometheus_1.8.1+ds.orig.tar.gz
726f7c392f99b48b63a85bc8f873fbdecbf6fabbb167a2dd7be312bdcf56d60c
../build-area/prometheus_1.8.1+ds.orig.tar.gz
I think if we mandate some fixed parameters (by policy or inclusion in
debian/gbp.conf), this approach would be feasible.
--
Martín Ferrari (Tincho)
More information about the Pkg-go-maintainers
mailing list