GNU bug report logs -
#75426
[PATCH] docker: Build tarballs reproducibly.
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Tue, 7 Jan 2025 22:57:01 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
View this message in rfc822 format
[Message part 1 (text/plain, inline)]
Your message dated Sat, 25 Jan 2025 00:07:13 +0100
with message-id <87wmejbyla.fsf <at> gnu.org>
and subject line Re: [bug#75426] [PATCH] docker: Build tarballs reproducibly.
has caused the debbugs.gnu.org bug report #75426,
regarding [PATCH] docker: Build tarballs reproducibly.
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)
--
75426: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=75426
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
Fixes <https://issues.guix.gnu.org/75090>.
* guix/docker.scm (tar): New procedure.
(create-empty-tar, build-docker-image): Use it instead of calling
‘invoke’ directly.
Reported-by: Simon Josefsson <simon <at> josefsson.org>
Change-Id: Ia899c43ed6a3809ff845de0953e3d38cccf24609
---
guix/docker.scm | 25 ++++++++++++++++---------
1 file changed, 16 insertions(+), 9 deletions(-)
diff --git a/guix/docker.scm b/guix/docker.scm
index b33c5824dd..d9764f61fb 100644
--- a/guix/docker.scm
+++ b/guix/docker.scm
@@ -1,6 +1,6 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017 Ricardo Wurmus <rekado <at> elephly.net>
-;;; Copyright © 2017, 2018, 2019, 2021 Ludovic Courtès <ludo <at> gnu.org>
+;;; Copyright © 2017-2019, 2021, 2025 Ludovic Courtès <ludo <at> gnu.org>
;;; Copyright © 2018 Chris Marusich <cmmarusich <at> gmail.com>
;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
;;; Copyright © 2023 Oleg Pykhalov <go.wigust <at> gmail.com>
@@ -170,8 +170,15 @@ (define (size-sorted-store-items items max-layers)
(1- items-length)))))
(list head tail)))
+(define (tar . arguments)
+ "Invoke 'tar' with the given ARGUMENTS together with options to build
+tarballs in a reproducible fashion."
+ (apply invoke "tar" "--mtime=@1"
+ "--owner=0" "--group=0" "--numeric-owner"
+ "--sort=name" "--mode=go+u,go-w" arguments))
+
(define (create-empty-tar file)
- (invoke "tar" "-cf" file "--files-from" "/dev/null"))
+ (tar "-cf" file "--files-from" "/dev/null"))
(define* (build-docker-image image paths prefix
#:key
@@ -255,7 +262,7 @@ (define* (build-docker-image image paths prefix
(file-name (string-append file-hash "/layer.tar")))
(mkdir file-hash)
(rename-file "layer.tar" file-name)
- (invoke "tar" "-rf" "image.tar" file-name)
+ (tar "-rf" "image.tar" file-name)
(delete-file file-name)
file-hash))
(define layers-hashes
@@ -268,20 +275,20 @@ (define* (build-docker-image image paths prefix
(let* ((head-layers
(map
(lambda (file)
- (invoke "tar" "cf" "layer.tar" file)
+ (tar "cf" "layer.tar" file)
(seal-layer))
head))
(tail-layer
(begin
(create-empty-tar "layer.tar")
(for-each (lambda (file)
- (invoke "tar" "-rf" "layer.tar" file))
+ (tar "-rf" "layer.tar" file))
tail)
(let* ((file-hash (layer-diff-id "layer.tar"))
(file-name (string-append file-hash "/layer.tar")))
(mkdir file-hash)
(rename-file "layer.tar" file-name)
- (invoke "tar" "-rf" "image.tar" file-name)
+ (tar "-rf" "image.tar" file-name)
(delete-file file-name)
file-hash)))
(customization-layer
@@ -290,7 +297,7 @@ (define* (build-docker-image image paths prefix
(file-name (string-append file-hash "/layer.tar")))
(mkdir file-hash)
(rename-file file-id file-name)
- (invoke "tar" "-rf" "image.tar" file-name)
+ (tar "-rf" "image.tar" file-name)
file-hash))
(all-layers
(append head-layers (list tail-layer customization-layer))))
@@ -300,7 +307,7 @@ (define* (build-docker-image image paths prefix
(map (cut string-append <> "/layer.tar")
all-layers)
repository))))
- (invoke "tar" "-rf" "image.tar" "manifest.json")
+ (tar "-rf" "image.tar" "manifest.json")
all-layers))))
(let* ((directory "/tmp/docker-image") ;temporary working directory
(id (docker-id prefix))
@@ -388,7 +395,7 @@ (define* (build-docker-image image paths prefix
#:entry-point entry-point))))
(if max-layers
(begin
- (invoke "tar" "-rf" "image.tar" "config.json")
+ (tar "-rf" "image.tar" "config.json")
(if compressor
(begin
(apply invoke `(,@compressor "image.tar"))
base-commit: eeb019eb595bbb29f83389deb2fc823ed6402dd5
--
2.47.1
[Message part 3 (message/rfc822, inline)]
Ludovic Courtès <ludo <at> gnu.org> skribis:
> Fixes <https://issues.guix.gnu.org/75090>.
>
> * guix/docker.scm (tar): New procedure.
> (create-empty-tar, build-docker-image): Use it instead of calling
> ‘invoke’ directly.
>
> Reported-by: Simon Josefsson <simon <at> josefsson.org>
> Change-Id: Ia899c43ed6a3809ff845de0953e3d38cccf24609
Pushed as 646202bf73f90de4f9b7cc66248b8f8e6e381014.
Ludo’.
This bug report was last modified 160 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.