[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#70169] [PATCH 0/7] Reproducible `make dist' tarball in defiance of
|
From: |
Janneke Nieuwenhuizen |
|
Subject: |
[bug#70169] [PATCH 0/7] Reproducible `make dist' tarball in defiance of Autotools and Gettext |
|
Date: |
Wed, 3 Apr 2024 21:08:40 +0200 |
Hi,
The recent XZ-utils <https://www.openwall.com/lists/oss-security/2024/03/29/4>
debacle inspired me to resurrect and finish my patch set for creating a
reproducible source tarball for Guix, i.e., finally have `make dist' be
reproducible (when run from Git). I've been using a version of these patches
in simpler projects for some years now and stole one from Timothy Samplet's
Gash project.
Autotools and Gettext still make it harder than necessary to do reproducible
(responsible?) computing, which is especially sad given the fact that the
Reproducible Builds project recently had their 10th birthday
<https://reproducible-builds.org/_lfs/presentations/2023-05-27-R-B-the-first-10-years/#/>.
Gettext tooling embeds timestamps found in the file-system, fails to respect
SOURCE_DATE_EPOCH, and lacks options like `--pot-creation-date' so that we
have to resort to SED to fixup. The caching of all sorts of information, in
separate build stages, also doesn't help.
To create a reproducible source tarball, having a reproducible build
environment is a prerequitite, so this would have to be recorded too.
Using this patch set, I created a tarball doing something like
--8<---------------cut here---------------start------------->8---
guix pull --commit=1dbe492b993a7629df3b35146ce0272b52913776
guix shell
bootstrap && ./configure --localstatedir=/var --sysconfdir=/etc && make dist
guix hash guix-1.3.0.57425-80a228.tar.gz
0mk59ay5k2dxmjni9fx4i8qyfhvlgxbhqzsjpg2pbw381nskkxbj
--8<---------------cut here---------------end--------------->8---
and I've uploaded it to
https://lilypond.org/janneke/guix/guix-1.3.0.57425-80a228.tar.gz
Who can reproduce it...and WDYT?
(I've also pushed this patch set to `wip-tarball', as a slight difference
may already produce another tarball).
Greetings,
Janneke
Janneke Nieuwenhuizen (6):
maint: Cater for running `make dist' from a worktree.
maint: Use reproducible timestamps and name for tarball.
maint: Help help2man generate reproducible man-pages.
maint: Generate 'doc/version-LANG.texi' reproducibly.
maint: Use reproducible Git timestamp for POT-Creation-Date.
maint: Ensure generated file reproducibility for dist.
Timothy Sample (1):
maint: Generate 'doc/version.texi' reproducibly.
Makefile.am | 18 ++++++++++++++---
doc/local.mk | 54 +++++++++++++++++++++++++++++++++++++++++++++++++
po/doc/local.mk | 16 +++++++++++----
3 files changed, 81 insertions(+), 7 deletions(-)
base-commit: df64d48e6f9f648044aa5279c045b8d6f7bee604
--
2.41.0
- [bug#70169] [PATCH 0/7] Reproducible `make dist' tarball in defiance of Autotools and Gettext,
Janneke Nieuwenhuizen <=
- [bug#70169] [PATCH 2/7] maint: Use reproducible timestamps and name for tarball., Janneke Nieuwenhuizen, 2024/04/03
- [bug#70169] [PATCH 4/7] maint: Help help2man generate reproducible man-pages., Janneke Nieuwenhuizen, 2024/04/03
- [bug#70169] [PATCH 1/7] maint: Cater for running `make dist' from a worktree., Janneke Nieuwenhuizen, 2024/04/03
- [bug#70169] [PATCH 5/7] maint: Generate 'doc/version-LANG.texi' reproducibly., Janneke Nieuwenhuizen, 2024/04/03
- [bug#70169] [PATCH 5/7] maint: Generate 'doc/version-LANG.texi' reproducibly., Ludovic Courtès, 2024/04/03