mk-origtargz: create reproducible tarballs and --mtime option
Diederik de Haas
didi.debian at cknow.org
Thu Mar 20 19:22:27 GMT 2025
On Thu Aug 31, 2017 at 10:57 AM CEST, Chris Lamb wrote:
>> mk-origtargz: create reproducible tarballs and --mtime option
>
> Adding a Reproducible Builds usertag and pinging the ML -- I hadn't
> spotted this wishlist bug before.
How about adding f.e. ``--sort name`` to the tar invocation?
That parameter was explicitly added for reproducibility here:
https://salsa.debian.org/kernel-team/linux/-/commit/ea024852d4
The Debian kernel team switched from their own 'genorig.py' script to
using ``uscan``, which IIUC invokes mk-origtargz here:
https://salsa.debian.org/kernel-team/linux/-/commit/55243dbd8d6842f
But I want to use my local clone of the upstream kernel instead of
downloading ~250MB each time, so I want to restore that 'genorig.py'
script for myself, but still get identical results.
The sha256sums of the uncompressed tar archives are identical and
diff-ing the extracted orig.tar.xz archives showed no difference at all.
So I went looking what could be the reason why the sha256sums of the
orig.tar.xz files were different. And that's when I found the first
mentioned commit. And reproducibility is good, so it seems best if
mk-origtargz is improved to produce reproducible results.
So a +1 on this feature request from me.
Cheers,
Diederik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20250320/b203bfb1/attachment.sig>
More information about the Reproducible-builds
mailing list