(polaris) branch main updated: Source-tarball - eliminate git-gzip risk (#3075)

Thu, 20 Nov 2025 06:58:06 -0800 

This is an automated email from the ASF dual-hosted git repository.

snazy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/polaris.git


The following commit(s) were added to refs/heads/main by this push:
     new c40d31c0c Source-tarball - eliminate git-gzip risk (#3075)
c40d31c0c is described below

commit c40d31c0c0b13e768e9f1aa33c8229a6dc38fbb6
Author: Robert Stupp <[email protected]>
AuthorDate: Thu Nov 20 15:57:55 2025 +0100

    Source-tarball - eliminate git-gzip risk (#3075)
    
    Details in the `git archive` chapter in 
https://reproducible-builds.org/docs/archives/
---
 .../src/main/kotlin/publishing/rootProject.kt      | 30 ++++++++++++++--------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/build-logic/src/main/kotlin/publishing/rootProject.kt 
b/build-logic/src/main/kotlin/publishing/rootProject.kt
index 95267fb0a..8aad51c36 100644
--- a/build-logic/src/main/kotlin/publishing/rootProject.kt
+++ b/build-logic/src/main/kotlin/publishing/rootProject.kt
@@ -46,19 +46,29 @@ internal fun configureOnRootProject(project: Project) =
       description =
         "Generate a source tarball for a release to be uploaded to 
dist.apache.org/repos/dist"
 
+      outputs.upToDateWhen { false }
+      outputs.cacheIf { false }
+
       val e = 
project.extensions.getByType(PublishingHelperExtension::class.java)
       doFirst { mkdir(e.distributionDir) }
 
-      executable = "git"
-      args(
-        "archive",
-        "--prefix=${e.baseName.get()}/",
-        "--format=tar.gz",
-        // use a fixed mtime for reproducible tarballs, using the same 
timestamp as jars do
-        "--mtime=1980-02-01 00:00:00",
-        "--output=${e.sourceTarball.get().asFile.relativeTo(projectDir)}",
-        "HEAD",
-      )
+      // Use a fixed mtime for reproducible tarballs, using the same timestamp 
as jars do.
+      // Also don't use the git-internal gzip as it's not stable, see
+      // https://reproducible-builds.org/docs/archives/.
+      commandLine =
+        listOf(
+          "bash",
+          "-c",
+          """
+        git \
+          archive \
+          --prefix="${e.baseName.get()}/" \
+          --format=tar \
+          --mtime="1980-02-01 00:00:00" \
+          HEAD | gzip -6 --no-name > 
"${e.sourceTarball.get().asFile.relativeTo(projectDir)}"
+          """
+            .trimIndent(),
+        )
       workingDir(project.projectDir)
 
       outputs.file(e.sourceTarball)

Reply via email to