Bug#807270: mk-origtargz: create reproducible tarballs and --mtime option
Osamu Aoki
osamu at debian.org
Mon Dec 7 13:30:10 UTC 2015
Hi,
This is an "important wishlist" :-)
On Sun, Dec 06, 2015 at 10:21:04PM +0100, Hans-Christoph Steiner wrote:
>
> Package: devscripts
> Version: 2.14.2
> Severity: wishlist
> User: devscripts at packages.debian.org
> Usertags: mk-origtargz
>
>
> Whenever mk-origtargz is repacking a zipball, it should zero out the
> timestamps in the tar format so that the process produces the same
> tarball every time it runs. This can be done using tar's --mtime= flag.
>
> Additionally, it would be very useful if mk-origtargz also had a --mtime
> option which forced the tarball to be repacked using the date given to
> the --mtime="Wed Oct 28 10:12:27 2015 -0700" flag. Here's an example of
> how to do that in perl:
>
> https://stackoverflow.com/a/16728218
Let's read the date from debian/changelog top entry and set mtime
as described here.
> This gets us ever closer to the goals of reproducible builds, where we
> can guarantee that a given original source code, the resulting binaries
> are always the same. For more on that topic:
>
> https://reproducible-builds.org/
Currently, mk-origtargz calls gzip with "-n"
xz and bzip2 does not seem to have such option and we set no flag.
None of these are guranteed to produce the same result since
compression seems to be arch dependent (at least gzip)
If you know any options to improve REPRODUCEBILITY of gzip/xz/bzip2, let
us know.
Osamu
More information about the devscripts-devel
mailing list