[Reproducible-builds] unreproducible tarballs generated during build (was: Re: Fwd: reproducible builds)
Jérémy Bobbio
lunar at debian.org
Tue Feb 10 15:15:27 UTC 2015
Andreas Beckmann:
> On 2015-02-10 01:00, Mattia Rizzolo wrote:
> >> * after fixing the timestamps in a kernel module source tarball, the
> >> file order has changed ... I didn't see a corresponding issue in the
> >> Wiki to make that deterministic (underlying filesystem is a tmpfs)
> >
> > File order where?
>
> The file order inside the tarball created by debian/rules during the
> build. Maybe you need to teach tar some more determinism :-)
>
> After copying a lot of stuff into $(module_source), the rules now do this:
>
> find '$(module_source)/../../modules' -depth -newermt '$(BUILD_DATE)' -print0 | \
> xargs -0r touch --no-dereference --date='$(BUILD_DATE)'
>
> # Build the tarball.
> tar cfJ $(module_txz) \
> --owner=root --group=src -C $(module_source)/../.. \
> --exclude '*.in' --exclude '.svn' modules
This will write files in the order of the filesystem which is not
deterministic. I thought this had been documented, but it was not. Now
fixed: https://wiki.debian.org/ReproducibleBuilds/FileOrderInTarballs
Instead of solely using tar, use find+sort+tar.
Before:
tar -cf archive.tar src
After:
find src -print0 | LC_ALL=C sort -z |
tar --null -T - --no-recursion -cf archive.tar
--
Lunar .''`.
lunar at debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/reproducible-builds/attachments/20150210/f660af6c/attachment.sig>
More information about the Reproducible-builds
mailing list