ENT-14061: Make the source and package tarballs reproducible#3166
Open
larsewi wants to merge 1 commit into
Open
ENT-14061: Make the source and package tarballs reproducible#3166larsewi wants to merge 1 commit into
larsewi wants to merge 1 commit into
Conversation
larsewi
added
the
cherry-pick?
larsewi
force-pushed
the
reproducible-tar-package
branch
from
a549186 to
6437978
Compare
larsewi
changed the title
larsewi
force-pushed
the
reproducible-tar-package
branch
2 times, most recently
from
ca2bd45 to
5dbc2fb
Compare
Two builds of the same source tree now produce byte-identical tarballs, following GNU tar's reproducibility guidance: * Select tar-pax in configure.ac so $(am__tar) emits --format=posix, giving stable, version-independent header encoding for both "make dist" and "make tar-package". * Expand the exported TAR_OPTIONS: --sort=name for stable member order, --numeric-owner / --owner=0 / --group=0 to drop buildslave identity, --mode=go+u,go-w for deterministic permissions, and the --pax-option flags to keep tar's PID out of header names and omit atime/ctime (leaving the archive in the ustar subset). * In dist-hook, normalize directory permissions to 755 and, when SOURCE_DATE_EPOCH is set, clamp every mtime to it. * In tar-package, clamp staged file mtimes to SOURCE_DATE_EPOCH and pass -n to gzip so the gzip header carries no timestamp. Ticket: ENT-14061 Signed-off-by: Lars Erik Wik <lars.erik.wik@northern.tech>
larsewi
force-pushed
the
reproducible-tar-package
branch
from
5dbc2fb to
77c11ba
Compare
|
Thank you for submitting a PR! Maybe @nickanderson can review this? |
1 task
Contributor
Author
|
@cf-bottom Jenkins please :) |
|
Alright, I triggered a build: Jenkins: https://ci.cfengine.com/job/pr-pipeline/13902/ Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-13902/ |
olehermanse
reviewed
Jun 2, 2026
| TAR_OPTIONS = --owner=0 --group=0 | ||
| # Normalize tar header fields so two builds of the same source tree produce a | ||
| # byte-identical tarball, following the GNU tar reproducibility guidance: | ||
| # https://www.gnu.org/software/tar/manual/html_section/Reproducibility.html |
Member
There was a problem hiding this comment.
This page also mentions using the C locale, did you ensure we set that?
olehermanse
approved these changes
Jun 2, 2026
craigcomstock
approved these changes
Jun 2, 2026
| AC_CANONICAL_TARGET | ||
|
|
||
| _AM_SET_OPTION([tar-ustar]) | ||
| _AM_SET_OPTION([tar-pax]) |
Contributor
There was a problem hiding this comment.
It doesn't seem clear here why to use tar-pax option. Maybe a comment as to "why" here and I see a longer explanation of options later.
Comment on lines
+53
to
+56
| find . -exec touch -d @$$SOURCE_DATE_EPOCH {} + ; \ | ||
| fi && \ | ||
| tardir=. && $(am__tar) | \ | ||
| GZIP=$(GZIP_ENV) gzip -c \ | ||
| GZIP=$(GZIP_ENV) gzip -nc \ |
Contributor
There was a problem hiding this comment.
it would seem that long options or comments about what the short options do would be helpful.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This makes both the
make distsource tarball and themake tar-packagepackage tarball reproducible:--sort=nameto the exportedTAR_OPTIONSso$(am__tar)emits members in a stable order for both recipes.dist-hook, normalize directory permissions to 755 and, whenSOURCE_DATE_EPOCHis set, clamp every mtime to it.tar-package, clamp staged file mtimes toSOURCE_DATE_EPOCHand pass-nto gzip so the gzip header carries no timestamp.Ticket: ENT-14061