[
https://issues.apache.org/jira/browse/COMPRESS-583?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17390835#comment-17390835
]
Peter Lee commented on COMPRESS-583:
------------------------------------
Thanks for your explanations [~francium25].
Now I understand the importance of reproducibility. We didn't do much for
reproducibility before - we don't have enough related tests. We will try to
improve this. PRs are always welcome. :)
> _as I didn't find any relevant changelog for this behavioral change._
This is my bad. The PR #97 was not meant to introduce the uid/gid to
TarArchiveEntry. I reviewed and merged this but I didn't notice this may cause
a reproducibility problem - and I didn't record this in changelog.
As you mentioned, 1.21 is already released and this could not be reverted. But
you're right about the changelog. I'm trying to update the release log of 1.21.
Thank you for your reporting again.
> 1.21 generates different output binaries compared to older versions as well
> as on different OSes
> ------------------------------------------------------------------------------------------------
>
> Key: COMPRESS-583
> URL: https://issues.apache.org/jira/browse/COMPRESS-583
> Project: Commons Compress
> Issue Type: Bug
> Affects Versions: 1.21
> Reporter: Chanseok Oh
> Priority: Major
>
> Upgrading {{commons-compress}} had always been generating the same compressed
> output byte-to-byte for the same input (i.e., their SHA checksum didn't
> change between versions). However, starting with 1.21, we noticed it's
> generating different output than what previous versions are generating.
> We also noticed that the same code generates different binaries on different
> OSes. For example, 1.21 on Linux is different from 1.21 on Mac.
> However, at least on the same OS, 1.21 seems to reproducibly generate the
> same output.
> See the context at [https://github.com/GoogleContainerTools/jib/pull/3342]
> ----
> *UPDATE*: running diffoscope reveals that 1.21 is picking up the user and
> group of a local environment.
> (output below manually reformatted slightly for readability)
> {{$ diffoscope
> 6d2763b0f3940d324ea6b55386429e5b173899608abf7d1bff62e25dd2e4dcea.tar.gz
> 32258c626498c13412679442e3417811bc7ab801c6928da2c2a97e0bbc380a88.tar.gz}}
> {{---
> 6d2763b0f3940d324ea6b55386429e5b173899608abf7d1bff62e25dd2e4dcea.tar.gz}}
> {{+++
> 32258c626498c13412679442e3417811bc7ab801c6928da2c2a97e0bbc380a88.tar.gz}}
> {{│ --- 6d2763b0f3940d324ea6b55386429e5b173899608abf7d1bff62e25dd2e4dcea.tar}}
> {{├── +++
> 32258c626498c13412679442e3417811bc7ab801c6928da2c2a97e0bbc380a88.tar}}
> {{│ ├── file list}}
> {{│ │ @@ -1,3 +1,3 @@}}
> {{│ │ {color:#de350b}-drwxr-xr-x 0 0 0 0 1970-01-01
> 00:00:01.000000 app/{color}}}
> {{│ │ {color:#00875a}+drwxr-xr-x 0 chanseok (252384) eng (5000) 0 1970-01-01
> 00:00:01.000000 app/{color}}}
> {{│ │ -rw-r--r-- 0 0 0 0 1970-01-01 00:00:01.000000
> app/fileB.txt}}
> {{│ │ -rw-r--r-- 0 0 0 0 1970-01-01 00:00:01.000000
> app/fileC.txt}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
