[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#48933] [PATCH] build: Make outputs of node-build-system reproducibl
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#48933] [PATCH] build: Make outputs of node-build-system reproducible. |
|
Date: |
Wed, 16 Jun 2021 22:51:59 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) |
Hi,
Lars-Dominik Braun <lars@6xq.net> skribis:
> package.json records two hashes of package.tgz, which change for each
> build, resulting in non-reproducible builds.
>
> * guix/build/node-build-system.scm (repack): Add reproducibility options
> to tar command.
Yay!
> (define* (repack #:key inputs #:allow-other-keys)
> - (invoke "tar" "-czf" "../package.tgz" ".")
> + (invoke "tar"
> + ;; Add options suggested by
> https://reproducible-builds.org/docs/archives/
> + "--sort=name"
> + (string-append "--mtime=" (getenv "SOURCE_DATE_EPOCH"))
I think it should be "--mtime=@".
> + "--owner=0"
> + "--group=0"
> + "--numeric-owner"
> +
> "--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime"
> + "-czf" "../package.tgz" ".")
I didn’t know about this ‘--pax-option’ trick; since it’s only useful
when POSIXLY_CORRECT is set, perhaps we can remove it?
(guix docker) does this:
--8<---------------cut here---------------start------------->8---
(define %tar-determinism-options
;; GNU tar options to produce archives deterministically.
'("--sort=name" "--mtime=@1"
"--owner=root:0" "--group=root:0"
;; When 'build-docker-image' is passed store items, the 'nlink' of the
;; files therein leads tar to store hard links instead of actual copies.
;; However, the 'nlink' count depends on deduplication in the store; it's
;; an "implicit input" to the build process. '--hard-dereference'
;; eliminates it.
"--hard-dereference"))
--8<---------------cut here---------------end--------------->8---
and (guix packages) does something similar.
So ‘--sort=name’ seems to be missing.
HTH,
Ludo’.