> >  ... gzip, for example, has "timestamp" field in header.
> >  Try this locally, without any [D]VCS:
> >
> > % mkdir test && echo "one" > test/one.txt && echo "two" > test/two.txt
> > % tar czf test1.tar.gz test && sleep 5 && tar czf test2.tar.gz test
> > % md5 test1.tar.gz test2.tar.gz
> > MD5 (test1.tar.gz) = 7b7c763a9d1d4edca7b5b415ab297fec
> > MD5 (test2.tar.gz) = 703ac5387b2bd1146434516f1d761ed9
> > % gzip -d test1.tar.gz test2.tar.gz
> > % md5 test1.tar test2.tar
> > MD5 (test1.tar) = 0ba33aa8ff6bffeeeb2d96efc38eec85
> > MD5 (test2.tar) = 0ba33aa8ff6bffeeeb2d96efc38eec85
>
> That is arguably a bug in "tar czf" :)  but it is easy enough to
> work around; we just need a checksum method -- e.g. SHA256_UNGZ --
> that pipes the distfile through gunzip when computing its checksum.
>

The problem goes beyond that: different standard tar formats can
include mutable data like major and minor device numbers, and the
atimes, uids, and gids of files.  See, for example, tar(5). We would
have to continually monitor whether each site generates tarballs with
invariant checksums from the "same" files, or check the integrity of
archive members after extraction.

b.
_______________________________________________
freebsd-ports@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"

Reply via email to