I agree with you that it is not deterministic. What is really important is that the checksums and the tarball come from a source you trust and are in agreement. It is a simple security measure and I am not sure there is value in making it deterministic. I have a feeling that if you want to do that we may have to change packaging tool radically.
François > On 13/01/2015, at 12:24, mmarco <mma...@unizar.es> wrote: > > If the problem is that packaging is not deterministic... what if we run the > hash check on the unpacked files instead of the tarball? > > > El lunes, 12 de enero de 2015, 11:59:53 (UTC+1), Thierry > (sage-googlesucks@xxx) escribió: > Hi, > > it is advised to distribute unmodified upstream tarball at much as > possible, so that the end-user should be able to check that the tarball > shipped by Sage has the same hash that upstreams. However, when size can > be reduced by a huge factor, integrity arguments become pretty weak and we > randomly upload hand-modified tarballs on tickets without a clear checking > process during the review process. > > In some cases, one possibility is to discuss with upstream to ship both > full and trimmed sources (which will benefit to other downstream, e.g. for > mathjax that can be considerably reduced while keeping all features). > > Another mid-term compromise could be to strip some few upstream source, > but in a checkable and reproducible manner, that is, with a spkg-src > script that will produce deterministic tarballs, so that anyone (in > particular the reviewer) can re-run the script and check the hashsums. By > default, tarballs are quite volatile because of timestamps and ownership, > also the file ordering seems to depend on the computer, the posix format > is nondeterministic, and i may have missed some other subtleties. > > In order to try such possibility on the next matplotlib update, could some > people (especially someone using OSX) give me (with minimal info on their > OS, arch, and tar --version) the result of: > > wget > https://downloads.sourceforge.net/project/matplotlib/matplotlib/matplotlib-1.4.2/matplotlib-1.4.2.tar.gz > > tar xf matplotlib-1.4.2.tar.gz > rm -rf matplotlib-1.4.2/lib/matplotlib/tests/baseline_images/* > find matplotlib-1.4.2 | sort | tar --no-recursion -cj --format=gnu > --mtime='1970-01-01 01:00' --group=0 --owner=0 -f matplotlib-1.4.2.tar.bz2 -T > - > shasum matplotlib-1.4.2.tar.bz2 > > Thanks, > Thierry > > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To post to this group, send email to sage-devel@googlegroups.com. > Visit this group at http://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at http://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
