There is ongoing discussion about reproducible builds within GNU. I'm having trouble figuring out the best approach for deterministic distribution archives using Automake.
Here's my original message on gnu-prog-discuss: > I did read https://reproducible-builds.org/docs/archives/. > > Automake-generated Makefiles have many archive options. I'm assuming > that my best option is to modify the timestamps and other metadata of > the files in distdir using `dist-hook`, but that doesn't solve file > ordering. > > What would the GNU recommendation be in this case, and what fits best > with the spirit of Automake? Post-processing the tarball is awkward > since it is part of a pipeline (to whatever compression algorithm is > chosen for the final archive). I'm not sure how to modify am__tar to > include processing as part of that pipeline (e.g. as used in > dist-gzip)---Automake doesn't provide options to configure its value > outside of _AM_PROG_TAR, which is rigid. > > strip-nondeterminism appears to support ar, gzip, jar, and zip; should I > just use that? Ludo had some suggestions: On Tue, Dec 22, 2015 at 17:23:55 +0100, Ludovic Courtès wrote: > At the very least, Automake should change the default value of > ‘GZIP_ENV’ to “--best --no-name” (the latter tells gzip to not add a > timestamp in its output.) > > Ideally ‘make dist’ would also sort files in the archives. Recent > versions of GNU tar support ‘--sort=name’ but we’d need a way to do that > portably (or require GNU tar for ‘make dist’.) > > Lastly, archive timestamps could be reset, as per --mtime=@0, but again, > portability needs to be considered. In some cases, this feature might > need to be turned off. > > Thoughts? Is there a [good] way to solve this problem until we can implement any suggestions in Automake? -- Mike Gerwitz Free Software Hacker | GNU Maintainer https://mikegerwitz.com FSF Member #5804 | GPG Key ID: 0x8EE30EAB
signature.asc
Description: PGP signature
