> > ... gzip, for example, has "timestamp" field in header. > > Try this locally, without any [D]VCS: > > > > % mkdir test && echo "one" > test/one.txt && echo "two" > test/two.txt > > % tar czf test1.tar.gz test && sleep 5 && tar czf test2.tar.gz test > > % md5 test1.tar.gz test2.tar.gz > > MD5 (test1.tar.gz) = 7b7c763a9d1d4edca7b5b415ab297fec > > MD5 (test2.tar.gz) = 703ac5387b2bd1146434516f1d761ed9 > > % gzip -d test1.tar.gz test2.tar.gz > > % md5 test1.tar test2.tar > > MD5 (test1.tar) = 0ba33aa8ff6bffeeeb2d96efc38eec85 > > MD5 (test2.tar) = 0ba33aa8ff6bffeeeb2d96efc38eec85 > > That is arguably a bug in "tar czf" :) but it is easy enough to > work around; we just need a checksum method -- e.g. SHA256_UNGZ -- > that pipes the distfile through gunzip when computing its checksum. >
The problem goes beyond that: different standard tar formats can include mutable data like major and minor device numbers, and the atimes, uids, and gids of files. See, for example, tar(5). We would have to continually monitor whether each site generates tarballs with invariant checksums from the "same" files, or check the integrity of archive members after extraction. b. _______________________________________________ freebsd-ports@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ports To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"
