diff mbox series

[bug#48933] build: Make outputs of node-build-system reproducible.

Message ID YMC6mp3HDmRyjAd4@noor.fritz.box
State Accepted
Headers show
Series [bug#48933] build: Make outputs of node-build-system reproducible. | expand

Checks

Context Check Description
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch success View Laminar job
cbaines/issue success View issue

Commit Message

Lars-Dominik Braun June 9, 2021, 12:56 p.m. UTC 
package.json records two hashes of package.tgz, which change for each
build, resulting in non-reproducible builds.

* guix/build/node-build-system.scm (repack): Add reproducibility options
to tar command.
---
 guix/build/node-build-system.scm | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Comments

Ludovic Courtès June 16, 2021, 8:51 p.m. UTC | #1 
Hi,

Lars-Dominik Braun <lars@6xq.net> skribis:

> package.json records two hashes of package.tgz, which change for each
> build, resulting in non-reproducible builds.
>
> * guix/build/node-build-system.scm (repack): Add reproducibility options
> to tar command.

Yay!

>  (define* (repack #:key inputs #:allow-other-keys)
> -  (invoke "tar" "-czf" "../package.tgz" ".")
> +  (invoke "tar"
> +          ;; Add options suggested by https://reproducible-builds.org/docs/archives/
> +          "--sort=name"
> +          (string-append "--mtime=" (getenv "SOURCE_DATE_EPOCH"))

I think it should be "--mtime=@".

> +          "--owner=0"
> +          "--group=0"
> +          "--numeric-owner"
> +          "--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime"
> +          "-czf" "../package.tgz" ".")

I didn’t know about this ‘--pax-option’ trick; since it’s only useful
when POSIXLY_CORRECT is set, perhaps we can remove it?

(guix docker) does this:

--8<---------------cut here---------------start------------->8---
(define %tar-determinism-options
  ;; GNU tar options to produce archives deterministically.
  '("--sort=name" "--mtime=@1"
    "--owner=root:0" "--group=root:0"

    ;; When 'build-docker-image' is passed store items, the 'nlink' of the
    ;; files therein leads tar to store hard links instead of actual copies.
    ;; However, the 'nlink' count depends on deduplication in the store; it's
    ;; an "implicit input" to the build process.  '--hard-dereference'
    ;; eliminates it.
    "--hard-dereference"))
--8<---------------cut here---------------end--------------->8---

and (guix packages) does something similar.

So ‘--sort=name’ seems to be missing.

HTH,
Ludo’.
diff mbox series

Patch

diff --git a/guix/build/node-build-system.scm b/guix/build/node-build-system.scm
index a55cab237c..9b3de43e24 100644
--- a/guix/build/node-build-system.scm
+++ b/guix/build/node-build-system.scm
@@ -120,7 +120,15 @@ 
   #t)
 
 (define* (repack #:key inputs #:allow-other-keys)
-  (invoke "tar" "-czf" "../package.tgz" ".")
+  (invoke "tar"
+          ;; Add options suggested by https://reproducible-builds.org/docs/archives/
+          "--sort=name"
+          (string-append "--mtime=" (getenv "SOURCE_DATE_EPOCH"))
+          "--owner=0"
+          "--group=0"
+          "--numeric-owner"
+          "--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime"
+          "-czf" "../package.tgz" ".")
   #t)
 
 (define* (install #:key outputs inputs #:allow-other-keys)