There is ongoing discussion about reproducible builds within GNU.  I'm
having trouble figuring out the best approach for deterministic
distribution archives using Automake.

Here's my original message on gnu-prog-discuss:

> I did read https://reproducible-builds.org/docs/archives/.
>
> Automake-generated Makefiles have many archive options.  I'm assuming
> that my best option is to modify the timestamps and other metadata of
> the files in distdir using `dist-hook`, but that doesn't solve file
> ordering.
>
> What would the GNU recommendation be in this case, and what fits best
> with the spirit of Automake?  Post-processing the tarball is awkward
> since it is part of a pipeline (to whatever compression algorithm is
> chosen for the final archive).  I'm not sure how to modify am__tar to
> include processing as part of that pipeline (e.g. as used in
> dist-gzip)---Automake doesn't provide options to configure its value
> outside of _AM_PROG_TAR, which is rigid.
>
> strip-nondeterminism appears to support ar, gzip, jar, and zip; should I
> just use that?


Ludo had some suggestions:

On Tue, Dec 22, 2015 at 17:23:55 +0100, Ludovic Courtès wrote:
> At the very least, Automake should change the default value of
> ‘GZIP_ENV’ to “--best --no-name” (the latter tells gzip to not add a
> timestamp in its output.)
>
> Ideally ‘make dist’ would also sort files in the archives.  Recent
> versions of GNU tar support ‘--sort=name’ but we’d need a way to do that
> portably (or require GNU tar for ‘make dist’.)
>
> Lastly, archive timestamps could be reset, as per --mtime=@0, but again,
> portability needs to be considered.  In some cases, this feature might
> need to be turned off.
>
> Thoughts?


Is there a [good] way to solve this problem until we can implement any
suggestions in Automake?

-- 
Mike Gerwitz
Free Software Hacker | GNU Maintainer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

Attachment: signature.asc
Description: PGP signature

Reply via email to