Page MenuHomePhabricator

Build reproducible tarballs for releases
ClosedPublic

Authored by aaronpuchert on Sun, Nov 15, 7:02 AM.

Details

Summary

Currently the tarballs contain superfluous metadata, like the user name
of the packager and via Pax headers even the PID of the tar process that
packaged the files. We build the monorepo projects directly from the git
repo using "git archive" and for the test-suite we add some flags as
recommended by https://reproducible-builds.org/docs/archives/. We don't
use numeric owners though to be compatible with "git archive".

The advantage of "git archive" is that the releaser doesn't have to
download the tar ball and extract it, rather the archive is built
directly from the repository. This is probably what GitHub uses
internally to produce the tarballs, so I wouldn't expect a difference.

Diff Detail

Event Timeline

aaronpuchert created this revision.Sun, Nov 15, 7:02 AM
Herald added a project: Restricted Project. · View Herald Transcript
aaronpuchert requested review of this revision.Sun, Nov 15, 7:02 AM
hans added a comment.Mon, Nov 16, 6:09 AM

Making the tarballs more reproducible sounds great.

I kind of liked that the script always downloads from github and doesn't depend on the state of my local repro. I don't feel strongly about this though, so I'll defer to Tom.

I kind of liked that the script always downloads from github and doesn't depend on the state of my local repro.

It requires the tag to be on the same commit as on GitHub, but since you're setting the tag I'd assume that. Otherwise it doesn't depend on either your working tree or the index, or whether you're currently rebasing or whatever. The archive is generated from the snapshot defined by the git tag, and since git addresses everything by hashes this should reproducibly be the same wherever you do it.

tstellar accepted this revision.Mon, Nov 16, 8:29 PM

This is fine with me.

This revision is now accepted and ready to land.Mon, Nov 16, 8:29 PM
This revision was landed with ongoing or failed builds.Sun, Nov 22, 11:52 AM
This revision was automatically updated to reflect the committed changes.