GNU bug report logs - #79170
Please make amhello-1.0.tar.gz reproducible

Previous Next

Package: automake;

Reported by: Jelle van der Waa <jelle <at> vdwaa.nl>

Date: Mon, 4 Aug 2025 20:53:02 UTC

Severity: normal

To reply to this bug, email your comments to 79170 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-automake <at> gnu.org:
bug#79170; Package automake. (Mon, 04 Aug 2025 20:53:02 GMT) Full text and rfc822 format available.
Acknowledgement sent to Jelle van der Waa <jelle <at> vdwaa.nl>:
New bug report received and forwarded. Copy sent to bug-automake <at> gnu.org. (Mon, 04 Aug 2025 20:53:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jelle van der Waa <jelle <at> vdwaa.nl>
To: bug-automake <at> gnu.org
Subject: Please make amhello-1.0.tar.gz reproducible
Date: Mon, 4 Aug 2025 17:15:42 +0200

In Arch Linux our automake package includes 
/usr/share/doc/automake/amhello-1.0.tar.gz. When we rebuild this package 
using our rebuilder to check for reproduciblity the uid/gid and 
timestamps are not normalized meaning they vary per rebuild making the 
package non-reproducible. [1] [2]

The owner/guid could be set --owner=root:0 --group=root:0
 and to get rid of the timestamp --mtime='@0' (Or alternatively a fixed 
timestamp which can be set via SOURCE_DATE_EPOCH).

Alternatively the timestamp could be excluded by hardcoding the tar 
format to ustar which omits timestamps.

[1] https://reproducible.archlinux.org
[2] https://reproducible-builds.org/
Information forwarded to bug-automake <at> gnu.org:
bug#79170; Package automake. (Tue, 05 Aug 2025 22:15:02 GMT) Full text and rfc822 format available.

Message #8 received at 79170 <at> debbugs.gnu.org (full text, mbox):

From: Karl Berry <karl <at> freefriends.org>
To: jelle <at> vdwaa.nl
Cc: 79170 <at> debbugs.gnu.org
Subject: Re: bug#79170: Please make amhello-1.0.tar.gz reproducible
Date: Tue, 5 Aug 2025 16:14:23 -0600

Hi Jelle - thanks for the report.

    The owner/guid could be set --owner=root:0 --group=root:0

OK.

      and to get rid of the timestamp --mtime='@0' (Or alternatively a fixed 
    timestamp which can be set via SOURCE_DATE_EPOCH).

Do you have a specific suggestion for how to use SOURCE_DATE_EPOCH here?
I don't want to fake the time when all the files were created to 1970 or
anything else. Having real mtimes seems useful.

    Alternatively the timestamp could be excluded by hardcoding the tar 
    format to ustar which omits timestamps.

1) What timestamp does ustar omit? AFAIK, every tar format stores mtimes
(and it's a good thing that they do).

2) In the latest automake release, I believe amhello already is ustar,
because we changed automake's default to be that in 1.18.
   
$ zcat /.../latest/.../gnu/share/doc/automake/amhello-1.0.tar.gz | file -
/dev/stdin: POSIX tar archive

Thanks,
Karl
This bug report was last modified 9 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.