On Sun, Nov 17, 2024 at 08:32:05PM +0000, Gavin Smith wrote: > On Sun, Nov 17, 2024 at 08:36:24PM +0100, Patrice Dumas wrote: > > > As far as I know, > > > nobody is checking that the distribution archive is bit-for-bit > > > reproducible from some specified commit in the git repository. > > > > It seems to me that it could be relevant, to be able to check more > > easily that the distribution has not been tampered. > > > > > I > > > understand the main issue of reproducible builds deals with building > > > reproducibily from a released distribution archive, not how that > > > archive is produced. > > > > If I recall well, the issue with the xz utils was tampering with the > > distributed tarball, not reproducible builds. If it is easier to redo > > the distributed tarball independently and compare it should be a win for > > security. > > I agree in theory but don't know how practical it is to achieve. > > It seems that it wouldn't matter as much if we required GNU tar to produce > the file, as this version of tar wouldn't be required by people building > the software. We could provide extra flags as described at this page: > > https://reproducible-builds.org/docs/archives/
I've done this using a separate script under tp/maintain that is run by both autogen.sh and the Makefile. It adds flags for GNU tar only. I wasn't sure what to put as the mtime. I considered using "@0" which would represent 1970-01-01, but I thought if someone were to expand the archive manually they should get a sensible date. if tar --version | grep "GNU tar" >/dev/null; then # Used with GNU tar to try to get a reproducible file. # See https://reproducible-builds.org/docs/archives/. TAR_BUNDLE_DATE=2024-11-18T00:00 TAR_BUNDLE_FLAGS="--sort=name --mtime=$TAR_BUNDLE_DATE --owner=0 --group=0 --numeric-owner --format=ustar" else TAR_BUNDLE_FLAGS= fi tar cf non_ascii.tar $input $TAR_BUNDLE_FLAGS
