1218191 – trackerbug: packages do not build reproducibly from tar file

Bug 1218191 - trackerbug: packages do not build reproducibly from tar file

Summary: trackerbug: packages do not build reproducibly from tar file

Status:	CONFIRMED

Alias:	None

Product:	openSUSE Tumbleweed
Classification:	openSUSE
Component:	Other (show other bugs)
Version:	Current
Hardware:	Other All

Priority:	P5 - None Severity: Normal (vote)
Target Milestone:	---
Assignee:	Bernhard Wiedemann
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	1081754
	Show dependency tree / graph

Clone This Bug

Reported:	2023-12-19 08:59 UTC by Bernhard Wiedemann
Modified:	2024-02-16 21:10 UTC (History)
CC List:	0 users

See Also:
Found By:	Development
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernhard Wiedemann 2023-12-19 08:59:56 UTC

Background: https://reproducible-builds.org/

Some packages include tar files.
Tar files often suffer from several sources of non-determinism:

1) filesystem readdir order during recursion (bug 1041090)
2) embedded mtime/atime/ctime values (bug 1047218)
3) pax headers contains the PID of tar


1) can be avoided by calling tar with --sort=name
2) can be avoided by calling tar with --mtime=@$SOURCE_DATE_EPOCH
3) can be avoided with --format=gnu or 
   --pax-option=exthdr.name=%%d/PaxHeaders/%%f,delete=atime,delete=ctime

https://reproducible-builds.org/docs/archives/ has information on problems
and solutions