From unknown Thu Jun 19 14:06:30 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#76860 <76860@debbugs.gnu.org> To: bug#76860 <76860@debbugs.gnu.org> Subject: Status: [PATCH] Reproducible tarballs for releases Reply-To: bug#76860 <76860@debbugs.gnu.org> Date: Thu, 19 Jun 2025 21:06:30 +0000 retitle 76860 [PATCH] Reproducible tarballs for releases reassign 76860 emacs submitter 76860 Stefan Kangas severity 76860 wishlist tag 76860 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Sat Mar 08 05:19:51 2025 Received: (at submit) by debbugs.gnu.org; 8 Mar 2025 10:19:51 +0000 Received: from localhost ([127.0.0.1]:52947 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tqrHa-0001EJ-HY for submit@debbugs.gnu.org; Sat, 08 Mar 2025 05:19:51 -0500 Received: from lists.gnu.org ([2001:470:142::17]:49374) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tqrHX-0001Dz-5y for submit@debbugs.gnu.org; Sat, 08 Mar 2025 05:19:48 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tqrHP-0007KH-LL for bug-gnu-emacs@gnu.org; Sat, 08 Mar 2025 05:19:39 -0500 Received: from mail-ed1-x535.google.com ([2a00:1450:4864:20::535]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tqrHN-0000GY-Kx for bug-gnu-emacs@gnu.org; Sat, 08 Mar 2025 05:19:39 -0500 Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-5e5e63162a0so2102346a12.3 for ; Sat, 08 Mar 2025 02:19:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1741429176; x=1742033976; darn=gnu.org; h=to:subject:message-id:date:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=+Q21XtU19PWZHI75WDX5Z8N4LpPyBmf7pxWvhnsMBHQ=; b=XkTx8fT1tj1CIt4BgHoHJurVuqqlwBidUawzzNi1DgxVr3cM6Uzx3KZF6frC3ZGMG1 Ejx4iYerl2gNpJ+LG1RnFEXbbOENu7RAYfCVgvOyqRIK/QPVOqPn3e2y/7f19NwHTW2b hjhzecK6+JwIER/Hl5lIY5e7DrePrqH6BY76lOWlETxLmxfzcVW+PKL64fXMnjlT4L46 NZp6x/g0EEftGucAAnhlFjIp19ONMyhNS5G9eOShNSYAvo34pnn7CtM0pHU6l5xw8F2t 5nIrhUp2lZxWx2SfU+734mJft29G5sWNgDYWh599961AdT9S9AW29aWDHxcXeKsdWrXq 9Kbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741429176; x=1742033976; h=to:subject:message-id:date:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=+Q21XtU19PWZHI75WDX5Z8N4LpPyBmf7pxWvhnsMBHQ=; b=L3VMCeRe777LpwN/Fkg02c3F9jek3NAaqkqSLvT2nhVhJOCBkQKXQvPG89ehz3Hh1m XaMtrxyLkwi1bK2A+zTodi/77Jdh+eIBBVj1/QQAIZTvvpA8R6BKhpvBjy9oBqpQaQfX TnzRUBC7IFh4AD/2algYHWDAGsuhSqLSA7P/DnrnZstsou6h1zgcD4F4+SSx040ufp9J qykqSj8ERc2l2UgnPXO/pzUJG8a0j+jWG9QBEhDrk+eIj5QK71ekW1CLPirT75ZlPQSc MGOdeT1sadPFFpupHA1S6UpsNMOYLWpHoxEM0c8GwYx7NpD/cP8pxlnaRYP4/D6P5fq4 8MmA== X-Gm-Message-State: AOJu0YxsCuefYUFlg2WuCZXHlDZRD+8PLIuj1F+YwKlBU/j5lWGrZQr5 OQQoaNi4y2MAqN4JjJszgdYHP9Vn7Yo4/vKPRgZWTQivSatarnIS9OrgvujUc6qDDq/yMubfO8e MXks1Wv38jFQ4EOecGkxZgzbdzzDqXfYd5GY= X-Gm-Gg: ASbGncstqTG7ZUnNaMruhrn38Ffd/Aef1aWqxskyyg8m+Y/k+HJ5Bg5wFf8/H+T3Mzm UtMJ8+9Gv8JqzBifdYemdKMWhe8iO3z4ELvqYFrKr/Aw1UTVfWftJdn7180B0cHGUZLrrj2G4JX jQu7pmNoV3XHIt+45u/zNf609loQ== X-Google-Smtp-Source: AGHT+IGzVcITbNQv0LQrzGJEb2i9cDpYh97p9jlmGt12KH07BjLwNDTD8d3ebdTW9TZ69780npGFJSzBh1GDVtlK3oY= X-Received: by 2002:a05:6402:3719:b0:5e6:13bf:2c7c with SMTP id 4fb4d7f45d1cf-5e613bf2db2mr3568035a12.9.1741429175692; Sat, 08 Mar 2025 02:19:35 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Sat, 8 Mar 2025 10:19:33 +0000 From: Stefan Kangas MIME-Version: 1.0 Date: Sat, 8 Mar 2025 10:19:33 +0000 X-Gm-Features: AQ5f1JpbvANcYZXUoWnuDJvrkrzaxX8z44R-PnBxqKZ6peXfugcrMMV81iXt06Q Message-ID: Subject: [PATCH] Reproducible tarballs for releases To: bug-gnu-emacs@gnu.org Content-Type: multipart/mixed; boundary="0000000000006b6a74062fd21343" Received-SPF: pass client-ip=2a00:1450:4864:20::535; envelope-from=stefankangas@gmail.com; helo=mail-ed1-x535.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --0000000000006b6a74062fd21343 Content-Type: text/plain; charset="UTF-8" Severity: wishlist I propose that we ensure reproducibility in our release tarballs by applying the recommended GNU Tar options. Please see the attached patch. The main value of reproducible tarballs is that they allow anyone -- whether downstream packagers, security auditors, or independent developers -- to verify that the official release tarball matches the corresponding source repository exactly. This is particularly useful for: 1. Supply chain security. Ensuring that the tarball is built from the expected source, with no accidental or malicious modifications. 2. Downstream distributions. Some distributions, like Debian and Guix, strongly prefer reproducible builds to improve verifyability and package integrity. 3. Debugging and consistency. Developers can regenerate the exact same tarball locally, making it easier to debug, compare versions, or audit historical releases. Even if we're the only ones who generate official tarballs, making them reproducible improves transparency and verifiability, which are worthwhile goals on their own. This approach follows the official GNU Tar manual guidelines: https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html --0000000000006b6a74062fd21343 Content-Type: text/x-patch; charset="US-ASCII"; name="0001-Make-release-tarball-more-reproducible.patch" Content-Disposition: attachment; filename="0001-Make-release-tarball-more-reproducible.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: a0ec20c38c916c9d_0.1 RnJvbSA2OTk5NTJmMGMxMWI5MWFjODI4ZmRmNTE4Y2UzNWNkZmZiMzlhZjQ4IE1vbiBTZXAgMTcg MDA6MDA6MDAgMjAwMQpGcm9tOiBTdGVmYW4gS2FuZ2FzIDxzdGVmYW5rYW5nYXNAZ21haWwuY29t PgpEYXRlOiBTYXQsIDggTWFyIDIwMjUgMTE6MTc6MTEgKzAxMDAKU3ViamVjdDogW1BBVENIXSBN YWtlIHJlbGVhc2UgdGFyYmFsbCBtb3JlIHJlcHJvZHVjaWJsZQoKVGhlIG1haW4gdmFsdWUgb2Yg cmVwcm9kdWNpYmxlIHRhcmJhbGxzIGlzIHRoYXQgdGhleSBhbGxvdyBhbnlvbmUgLS0Kd2hldGhl ciBkb3duc3RyZWFtIHBhY2thZ2Vycywgc2VjdXJpdHkgYXVkaXRvcnMsIG9yIGluZGVwZW5kZW50 CmRldmVsb3BlcnMgLS0gdG8gdmVyaWZ5IHRoYXQgdGhlIG9mZmljaWFsIHJlbGVhc2UgdGFyYmFs bCBtYXRjaGVzIHRoZQpjb3JyZXNwb25kaW5nIHNvdXJjZSByZXBvc2l0b3J5IGV4YWN0bHkuCgpU aGlzIGlzIHBhcnRpY3VsYXJseSB1c2VmdWwgZm9yOgoKMS4gU3VwcGx5IGNoYWluIHNlY3VyaXR5 LiAgRW5zdXJpbmcgdGhhdCB0aGUgdGFyYmFsbCBpcyBidWlsdCBmcm9tIHRoZQogICBleHBlY3Rl ZCBzb3VyY2UsIHdpdGggbm8gYWNjaWRlbnRhbCBvciBtYWxpY2lvdXMgbW9kaWZpY2F0aW9ucy4K CjIuIERvd25zdHJlYW0gZGlzdHJpYnV0aW9ucy4gIFNvbWUgZGlzdHJpYnV0aW9ucywgbGlrZSBE ZWJpYW4gYW5kIEd1aXgsCiAgIHN0cm9uZ2x5IHByZWZlciByZXByb2R1Y2libGUgYnVpbGRzIHRv IGltcHJvdmUgdmVyaWZ5YWJpbGl0eSBhbmQKICAgcGFja2FnZSBpbnRlZ3JpdHkuCgozLiBEZWJ1 Z2dpbmcgYW5kIGNvbnNpc3RlbmN5LiAgRGV2ZWxvcGVycyBjYW4gcmVnZW5lcmF0ZSB0aGUgZXhh Y3Qgc2FtZQogICB0YXJiYWxsIGxvY2FsbHksIG1ha2luZyBpdCBlYXNpZXIgdG8gZGVidWcsIGNv bXBhcmUgdmVyc2lvbnMsIG9yCiAgIGF1ZGl0IGhpc3RvcmljYWwgcmVsZWFzZXMuCgpFdmVuIGlm IHdlJ3JlIHRoZSBvbmx5IG9uZXMgd2hvIGdlbmVyYXRlIG9mZmljaWFsIHRhcmJhbGxzLCBtYWtp bmcgdGhlbQpyZXByb2R1Y2libGUgaW1wcm92ZXMgdHJhbnNwYXJlbmN5IGFuZCB2ZXJpZmlhYmls aXR5LCB3aGljaCBhcmUKd29ydGh3aGlsZSBnb2FscyBvbiB0aGVpciBvd24uCgpUaGlzIGFwcHJv YWNoIGZvbGxvd3MgdGhlIG9mZmljaWFsIEdOVSBUYXIgbWFudWFsIGd1aWRlbGluZXM6Cmh0dHBz Oi8vd3d3LmdudS5vcmcvc29mdHdhcmUvdGFyL21hbnVhbC9odG1sX25vZGUvUmVwcm9kdWNpYmls aXR5Lmh0bWwKCiogbWFrZS1kaXN0OiBNYWtlIHJlbGVhc2UgdGFyYmFsbCBtb3JlIHJlcHJvZHVj aWJsZS4KLS0tCiBtYWtlLWRpc3QgfCAzNiArKysrKysrKysrKysrKysrKysrKysrKysrKysrKysr KysrLS0KIDEgZmlsZSBjaGFuZ2VkLCAzNCBpbnNlcnRpb25zKCspLCAyIGRlbGV0aW9ucygtKQoK ZGlmZiAtLWdpdCBhL21ha2UtZGlzdCBiL21ha2UtZGlzdAppbmRleCBiYTgyYjI2MTc0My4uZDAz MDc3ZjY3MWUgMTAwNzU1Ci0tLSBhL21ha2UtZGlzdAorKysgYi9tYWtlLWRpc3QKQEAgLTEsOCAr MSw3IEBACiAjIS9iaW4vc2gKICMjIyBtYWtlLWRpc3Q6IGNyZWF0ZSBhbiBFbWFjcyBkaXN0cmli dXRpb24gdGFyIGZpbGUgZnJvbSBjdXJyZW50IHNyY2RpcgogCi0jIyBDb3B5cmlnaHQgKEMpIDE5 OTUsIDE5OTctMTk5OCwgMjAwMC0yMDI1IEZyZWUgU29mdHdhcmUgRm91bmRhdGlvbiwKLSMjIElu Yy4KKyMjIENvcHlyaWdodCAoQykgMTk5NS0yMDI1IEZyZWUgU29mdHdhcmUgRm91bmRhdGlvbiwg SW5jLgogCiAjIyBUaGlzIGZpbGUgaXMgcGFydCBvZiBHTlUgRW1hY3MuCiAKQEAgLTQ2Nyw2ICs0 NjYsMzAgQEAgdGVtcHN1YmRpcnM9CiAgICAgLWV4ZWMgcm0gLWYge30gXDsgfHwgZXhpdAogZmkK IAorIyBNYWtlIHRoZSBzb3VyY2UgdGFyYmFsbCByZXByb2R1Y2libGUuCisjIGh0dHBzOi8vd3d3 LmdudS5vcmcvc29mdHdhcmUvdGFyL21hbnVhbC9odG1sX25vZGUvUmVwcm9kdWNpYmlsaXR5Lmh0 bWwKKworZnVuY3Rpb24gZ2V0X2NvbW1pdF90aW1lKCkgeworICBUWj1VVEMwIGdpdCBsb2cgLTEg XAorICAgIC0tZm9ybWF0PXRmb3JtYXQ6JWNkIFwKKyAgICAtLWRhdGU9Zm9ybWF0OiVZLSVtLSVk VCVIOiVNOiVTWiBcCisgICAgIiRAIgorfQorCisjICBTZXQgZWFjaCBzb3VyY2UgZmlsZSB0aW1l c3RhbXAgdG8gdGhhdCBvZiBpdHMgbGF0ZXN0IGNvbW1pdC4KK2dpdCBscy1maWxlcyB8IHdoaWxl IHJlYWQgLXIgZmlsZTsgZG8KKyAgY29tbWl0X3RpbWU9JChnZXRfY29tbWl0X3RpbWUgIiRmaWxl IikgJiYKKyAgdG91Y2ggLW1kICRjb21taXRfdGltZSAiJGZpbGUiCitkb25lCisKKyMgIFNldCB0 aW1lc3RhbXAgb2YgZWFjaCBkaXJlY3RvcnkgdW5kZXIgJEZJTEVTCisjICB0byB0aGUgbGF0ZXN0 IHRpbWVzdGFtcCBvZiBhbnkgZGVzY2VuZGFudC4KK2ZpbmQgJEZJTEVTIC1kZXB0aCAtdHlwZSBk IC1leGVjIHNoIC1jIFwKKyAgJ3RvdWNoIC1yICIkMC8kKGxzIC1BdCAiJDAiIHwgaGVhZCAtbiAx KSIgIiQwIicgXAorICB7fSAnOycKKworU09VUkNFX0VQT0NIPSQoZ2V0X2NvbW1pdF90aW1lKQor CiBpZiBbICIke21ha2VfdGFyfSIgPSB5ZXMgXTsgdGhlbgogICBlY2hvICJMb29raW5nIGZvciAk ZGVmYXVsdF9nemlwIgogICBmb3VuZD0wCkBAIC00OTMsNiArNTE2LDE1IEBAIHRlbXBzdWJkaXJz PQogICAgIHRhcm9wdD0iJHRhcm9wdCAtSCB1c3RhciIKICAgdGFyIC0tc29ydD1uYW1lIC1jZiAv ZGV2L251bGwgJHRlbXBkaXIvc3JjL2xpc3AuaCAyPi9kZXYvbnVsbCAmJgogICAgIHRhcm9wdD0i JHRhcm9wdCAtLXNvcnQ9bmFtZSIKKyAgdGFyIC0tZm9ybWF0PXBvc2l4IC1jZiAvZGV2L251bGwg JHRlbXBkaXIvc3JjL2xpc3AuaCAyPi9kZXYvbnVsbCAmJgorICAgIHRhcm9wdD0iJHRhcm9wdCAt LWZvcm1hdD1wb3NpeCIKKyAgdGFyIC0tcGF4LW9wdGlvbj0nZXh0aGRyLm5hbWU9JWQvUGF4SGVh ZGVycy8lZicgLWNmIC9kZXYvbnVsbCAkdGVtcGRpci9zcmMvbGlzcC5oIDI+L2Rldi9udWxsICYm CisgICAgdGFyb3B0PSIkdGFyb3B0IC0tcGF4LW9wdGlvbj0nZXh0aGRyLm5hbWU9JWQvUGF4SGVh ZGVycy8lZiciCisgIHRhciAtLXBheC1vcHRpb249J2RlbGV0ZT1hdGltZSxkZWxldGU9Y3RpbWUn IC1jZiAvZGV2L251bGwgJHRlbXBkaXIvc3JjL2xpc3AuaCAyPi9kZXYvbnVsbCAmJgorICAgIHRh cm9wdD0iJHRhcm9wdCAtLXBheC1vcHRpb249J2RlbGV0ZT1hdGltZSxkZWxldGU9Y3RpbWUnIgor ICB0YXIgLS1jbGFtcC1tdGltZSAtLW10aW1lPSIkU09VUkNFX0VQT0NIIiAtY2YgL2Rldi9udWxs ICR0ZW1wZGlyL3NyYy9saXNwLmggMj4vZGV2L251bGwgJiYKKyAgICB0YXJvcHQ9IiR0YXJvcHQg LS1jbGFtcC1tdGltZSAtLW10aW1lPXskU09VUkNFX0VQT0NIfSIKKwogICBbICIkdmVyYm9zZSIg PSAieWVzIiBdICYmIHRhcm9wdD0iJHRhcm9wdCAtLXZlcmJvc2UiCiAKICAgKGNkICR0ZW1wcGFy ZW50ICYmCi0tIAoyLjQ4LjEKCg== --0000000000006b6a74062fd21343--