Unreproducible tar files on go.googlesource.com
kpcyrd
kpcyrd at archlinux.org
Tue Jul 18 09:55:04 UTC 2023
hello!
while packaging govulncheck for Arch Linux I noticed a checksum mismatch
for a tar file I downloaded from go.googlesource.com.
I used diffoscope to compare the tar file I downloaded with the tar file
the build server downloaded, and noticed the timestamps are different:
local% tar tvvf govulncheck-1.0.0.tar.gz | head
-rw-r--r-- 0/0 63 2023-07-18 11:32 .gitignore
-rw-r--r-- 0/0 995 2023-07-18 11:32 CONTRIBUTING.md
-rw-r--r-- 0/0 1479 2023-07-18 11:32 LICENSE
-rw-r--r-- 0/0 1303 2023-07-18 11:32 PATENTS
-rw-r--r-- 0/0 1563 2023-07-18 11:32 README.md
-rw-r--r-- 0/0 3496 2023-07-18 11:32 all_test.go
-rwxr-xr-x 0/0 1585 2023-07-18 11:32 checks.bash
drwxr-xr-x 0/0 0 2023-07-18 11:32 cmd/
drwxr-xr-x 0/0 0 2023-07-18 11:32 cmd/govulncheck/
-rw-r--r-- 0/0 3627 2023-07-18 11:32 cmd/govulncheck/doc.go
[kpcyrd at build ~]$ tar tvvf
/var/lib/archbuilddest/srcdest/govulncheck-1.0.0.tar.gz | head
-rw-r--r-- 0/0 63 2023-07-18 09:33 .gitignore
-rw-r--r-- 0/0 995 2023-07-18 09:33 CONTRIBUTING.md
-rw-r--r-- 0/0 1479 2023-07-18 09:33 LICENSE
-rw-r--r-- 0/0 1303 2023-07-18 09:33 PATENTS
-rw-r--r-- 0/0 1563 2023-07-18 09:33 README.md
-rw-r--r-- 0/0 3496 2023-07-18 09:33 all_test.go
-rwxr-xr-x 0/0 1585 2023-07-18 09:33 checks.bash
drwxr-xr-x 0/0 0 2023-07-18 09:33 cmd/
drwxr-xr-x 0/0 0 2023-07-18 09:33 cmd/govulncheck/
-rw-r--r-- 0/0 3627 2023-07-18 09:33 cmd/govulncheck/doc.go
https://go.googlesource.com/vuln/+archive/refs/tags/v1.0.0.tar.gz
I downloaded the file 3 times and got a different sha256 every time, it
seems the tar file records the current time when downloading it.
1st: ddf7cfd295eef68ba284b6471b88dea8efb91b5a115cbead2a3303dce55db94f
2nd: 4e9e72a8d19faf25a303d46af559471e8698321d131cec05f31419e2fc9ab43a
3rd: 37d9a2b04e9d73effdfbe565012f47456be2360f9389ebd89a981ce27c8bf4ce
I figured I'd share this here for documentation purpose.
Have a nice day,
kpcyrd
More information about the rb-general
mailing list