Bug#807270: mk-origtargz: create reproducible tarballs and --mtime option
Simon Josefsson
simon at josefsson.org
Fri Mar 21 09:06:50 GMT 2025
Holger Levsen <holger at layer-acht.org> writes:
> On Thu, Mar 20, 2025 at 10:37:15PM +0100, Simon Josefsson wrote:
>> +1 on reproducible tarballs.
>
> sure, +1, patches welcome! :) \o/
Attached starting point, thoughts?
https://salsa.debian.org/debian/devscripts/-/merge_requests/490
The patch needs review/improvement from those more familiar with
mk-origtargz and the debian/tests/ framework.
My main argument is that solving this is harder than it looks, and I
fear that solving the general problem here may actually be infeasible.
It can help to realize this, otherwise one may think that solving this
is just a matter of adding the right parameters (which is what the patch
attempt to do).
While we could attempt to continue patch things, how about a bigger
question: why do we re-create tarballs?
I guess there are many different use-cases, but I believe some of them
are symptoms of some bigger problem. The solution in those use-cases
isn't to improve reproducability of tarball re-creation, it is to avoid
creating our own tarballs. Maybe some use-cases really do require us to
re-create tarballs, and maybe in those particular cases designing a
solution to the --mtime concern is feasible.
For those wanting to understand why solving the --mtime concern is a
hard problem, here is a partial helper tool to aid with this:
https://lists.gnu.org/archive/html/bug-gnulib/2025-02/msg00166.html
I dislike all that complexity though, so for some upstream projects
(libtasn1, libidn2, inetutils, ...) I am using a heavy hammer like this:
TAR_OPTIONS += --mode=go+u,go-w --mtime=$(abs_top_srcdir)/NEWS
mtime-NEWS-to-git-HEAD:
$(AM_V_GEN)if test -e $(srcdir)/.git \
&& command -v git > /dev/null; then \
touch -m -t "$$(git log -1 --format=%cd --date=format-local:%Y%m%d%H%M.%S)" $(srcdir)/NEWS; \
fi
We could do the same in Debian, replacing NEWS with last timestamp of
debian/changelog, but it is important to remember that this is an ugly
workaround rather than a solution. Solving it like this will lead to
other problems. Solving it properly requires going to the root cause of
the problem, which is what Bruno is chasing in that e-mail thread.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-MkOrigtargz-Improve-tarball-reproducibility.patch
Type: text/x-diff
Size: 1818 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20250321/264c8410/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/reproducible-builds/attachments/20250321/264c8410/attachment.sig>
More information about the Reproducible-builds
mailing list