GNU bug report logs - #48933
[PATCH] build: Make outputs of node-build-system reproducible.

Previous Next

Package: guix-patches;

Reported by: Lars-Dominik Braun <lars <at> 6xq.net>

Date: Wed, 9 Jun 2021 12:58:01 UTC

Severity: normal

Tags: patch

Done: Lars-Dominik Braun <lars <at> 6xq.net>

Bug is archived. No further changes may be made.

Full log

Message #8 received at 48933 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Lars-Dominik Braun <lars <at> 6xq.net>
Cc: 48933 <at> debbugs.gnu.org, jlicht <at> fsfe.org
Subject: Re: bug#48933: [PATCH] build: Make outputs of node-build-system
 reproducible.
Date: Wed, 16 Jun 2021 22:51:59 +0200

Hi,

Lars-Dominik Braun <lars <at> 6xq.net> skribis:

> package.json records two hashes of package.tgz, which change for each
> build, resulting in non-reproducible builds.
>
> * guix/build/node-build-system.scm (repack): Add reproducibility options
> to tar command.

Yay!

>  (define* (repack #:key inputs #:allow-other-keys)
> -  (invoke "tar" "-czf" "../package.tgz" ".")
> +  (invoke "tar"
> +          ;; Add options suggested by https://reproducible-builds.org/docs/archives/
> +          "--sort=name"
> +          (string-append "--mtime=" (getenv "SOURCE_DATE_EPOCH"))

I think it should be "--mtime=@".

> +          "--owner=0"
> +          "--group=0"
> +          "--numeric-owner"
> +          "--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime"
> +          "-czf" "../package.tgz" ".")

I didn’t know about this ‘--pax-option’ trick; since it’s only useful
when POSIXLY_CORRECT is set, perhaps we can remove it?

(guix docker) does this:

--8<---------------cut here---------------start------------->8---
(define %tar-determinism-options
  ;; GNU tar options to produce archives deterministically.
  '("--sort=name" "--mtime=@1"
    "--owner=root:0" "--group=root:0"

    ;; When 'build-docker-image' is passed store items, the 'nlink' of the
    ;; files therein leads tar to store hard links instead of actual copies.
    ;; However, the 'nlink' count depends on deduplication in the store; it's
    ;; an "implicit input" to the build process.  '--hard-dereference'
    ;; eliminates it.
    "--hard-dereference"))
--8<---------------cut here---------------end--------------->8---

and (guix packages) does something similar.

So ‘--sort=name’ seems to be missing.

HTH,
Ludo’.
This bug report was last modified 4 years and 60 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.