[pkg-go] Minutes for the DebConf17 BoF

[Michael Stapelberg]

Thanks for looking into this.

I think mandating compression algorithms and levels is necessary for
this approach indeed, but I’m not sure if it’s sufficient.

At least for our transition period, we’ll have to use origtargz.

I’m happy to pro-actively add compression algorithm/level options and
evaluate at a later time whether that worked. I think just testing
across different machines is a good start, but we should also pass the
test of time — perhaps we can easily simulate that by testing on
stable/oldstable.

On Thu, Nov 9, 2017 at 1:27 AM, Martín Ferrari <tincho at tincho.org> wrote:
> On 08/11/17 21:01, Martín Ferrari wrote:
>> The best test would be to use gbp to create the tarballs under different
>> conditions (machine, user name, path, manually touch()ing files locally)
>> and see if they are really reproducible.
>
> For one data point, I just tried this on two different machines (same
> arch, though), on different paths, one a fresh clone, other my usual
> work dir, and after some random touch() of files, I get always the same tar.
>
> $ gbp buildpackage --git-force-create --git-no-pristine-tar
> --git-compression=gzip --git-compression-level=9
>
> $ sha256sum ../build-area/prometheus_1.8.1+ds.orig.tar.gz
> 726f7c392f99b48b63a85bc8f873fbdecbf6fabbb167a2dd7be312bdcf56d60c
> ../build-area/prometheus_1.8.1+ds.orig.tar.gz
>
>
> Which, notably, does not match what's on the archive. It seems I had
> different default values for the compression level on different
> machines, so I had to pass the parameters explicitly.
>
> If I use compression level 6, I get that exact SHA:
>
> $ sha256sum ../build-area/prometheus_1.8.1+ds.orig.tar.gz
> 726f7c392f99b48b63a85bc8f873fbdecbf6fabbb167a2dd7be312bdcf56d60c
> ../build-area/prometheus_1.8.1+ds.orig.tar.gz
>
> I think if we mandate some fixed parameters (by policy or inclusion in
> debian/gbp.conf), this approach would be feasible.
>
> --
> Martín Ferrari (Tincho)



-- 
Best regards,
Michael