--- Begin Message ---
|
Subject: |
[PATCH 0/7] Reproducible `make dist' tarball in defiance of Autotools and Gettext |
|
Date: |
Wed, 3 Apr 2024 21:08:40 +0200 |
Hi,
The recent XZ-utils <https://www.openwall.com/lists/oss-security/2024/03/29/4>
debacle inspired me to resurrect and finish my patch set for creating a
reproducible source tarball for Guix, i.e., finally have `make dist' be
reproducible (when run from Git). I've been using a version of these patches
in simpler projects for some years now and stole one from Timothy Samplet's
Gash project.
Autotools and Gettext still make it harder than necessary to do reproducible
(responsible?) computing, which is especially sad given the fact that the
Reproducible Builds project recently had their 10th birthday
<https://reproducible-builds.org/_lfs/presentations/2023-05-27-R-B-the-first-10-years/#/>.
Gettext tooling embeds timestamps found in the file-system, fails to respect
SOURCE_DATE_EPOCH, and lacks options like `--pot-creation-date' so that we
have to resort to SED to fixup. The caching of all sorts of information, in
separate build stages, also doesn't help.
To create a reproducible source tarball, having a reproducible build
environment is a prerequitite, so this would have to be recorded too.
Using this patch set, I created a tarball doing something like
--8<---------------cut here---------------start------------->8---
guix pull --commit=1dbe492b993a7629df3b35146ce0272b52913776
guix shell
bootstrap && ./configure --localstatedir=/var --sysconfdir=/etc && make dist
guix hash guix-1.3.0.57425-80a228.tar.gz
0mk59ay5k2dxmjni9fx4i8qyfhvlgxbhqzsjpg2pbw381nskkxbj
--8<---------------cut here---------------end--------------->8---
and I've uploaded it to
https://lilypond.org/janneke/guix/guix-1.3.0.57425-80a228.tar.gz
Who can reproduce it...and WDYT?
(I've also pushed this patch set to `wip-tarball', as a slight difference
may already produce another tarball).
Greetings,
Janneke
Janneke Nieuwenhuizen (6):
maint: Cater for running `make dist' from a worktree.
maint: Use reproducible timestamps and name for tarball.
maint: Help help2man generate reproducible man-pages.
maint: Generate 'doc/version-LANG.texi' reproducibly.
maint: Use reproducible Git timestamp for POT-Creation-Date.
maint: Ensure generated file reproducibility for dist.
Timothy Sample (1):
maint: Generate 'doc/version.texi' reproducibly.
Makefile.am | 18 ++++++++++++++---
doc/local.mk | 54 +++++++++++++++++++++++++++++++++++++++++++++++++
po/doc/local.mk | 16 +++++++++++----
3 files changed, 81 insertions(+), 7 deletions(-)
base-commit: df64d48e6f9f648044aa5279c045b8d6f7bee604
--
2.41.0
--- End Message ---
--- Begin Message ---
|
Subject: |
Re: [bug#70169] [PATCH v3 13/13] maint: Ensure generated file reproducibility for dist. |
|
Date: |
Sun, 14 Apr 2024 11:24:56 +0200 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) |
pelzflorian (Florian Pelz) writes:
> Janneke Nieuwenhuizen <janneke@gnu.org> writes:
>> @@ -264,8 +264,8 @@ endif
>> # Git rather than using metadata from the filesystem.
>> define version.texi-from-git
>> $(srcdir)/doc/stamp-$(1): $(srcdir)/$(2) $(top_srcdir)/configure
>> - $$(AM_V_GEN)set -e \
>> - export LC_ALL=C; \
>> + $$(AM_V_GEN)set -e; \
>> + export LANG=C LANGUAGE=C LC_ALL=C LC_TIME=C; \
>> export TZ=UTC0; \
>> timestamp="$$$$(git log --pretty=format:%ct -n1 -- "$$<" \
>> 2>/dev/null \
>
> LGTM. No v4 needed in my opinion.
Great, pushed to master as 416f11f1d4b2e12d8db2687e753d760f148cfc2d
--
Janneke Nieuwenhuizen <janneke@gnu.org> | GNU LilyPond https://LilyPond.org
Freelance IT https://www.JoyOfSource.com | AvatarĀ® https://AvatarAcademy.com
--- End Message ---