[rb-general] Reproducing tarballs under various toolchains

Daniel Shahaf danielsh at apache.org
Thu Sep 20 17:34:37 CEST 2018


Eli Schwartz wrote on Thu, 20 Sep 2018 03:08 -0400:
> This is really just a generic question of "are two programs that create
> the same *type* of output, generating custom, unpredictable output".

Agreed.

> And it doesn't seem like that would be so just because of the fact that
> they use different command-line flags to override the value stored in a
> standardized field (the uid/git of recorded files).
> 

Unfortunately, the fact they use different syntaxes for identical
functionality _is_ a problem.  In a nutshell, it makes it difficult for
portable programs to use the functionality, since they need to test for
three cases: 1) GNU tar newer than version X 2) BSD tar newer than
version Y 3) anything else.  A program that creates tarballs for a
living would go the extra mile to handle all these cases, sure, but some
random makefile target that does "tar -zcf $(NAME)-$(VERSION).tar.gz *"
may well not go that extra mile.

> But the secondary solution is to add a very small documentation update
> to the reproducible-builds website, to change "the recommended way is to
> use GNU tar with these switches" to "the recommended way is to either
> use GNU tar with these switches, or use bsdtar with these other switches".
> 

I agree it would be an improvement to document bsdtar's support there.
However, "use either 'gtar --foo' or 'bsdtar --bar'" is not a solution
for upstreams that want to just use the system tar, whichever system
they happen to run on.

To summarize the action items so far:

1. Patch the site to mention bsdtar support for these flags
2. Ask bsdtar to support the gtar flag names
3. Ask gtar to support the bsdtar flag names

Cheers,

Daniel

P.S. John, thanks for the answer.  You should have seen my face when I
     read it. :)


More information about the rb-general mailing list