Conversation

Notices

1. Embed this notice
   Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Wednesday, 03-Apr-2024 12:52:43 JST Ludovic Courtès

   “Towards reproducible minimal source code tarballs?” by @jas4711:
   https://blog.josefsson.org/2024/04/01/towards-reproducible-minimal-source-code-tarballs-please-welcome-src-tar-gz/

   I think “make dist”-generated tarballs are just one part of the xz debacle (and not the most frightening part), but at least we can do something about them: when they’re the byproduct of a build process, we can build them from source (like Debian does); when they add something that’s not in the VCS (such as .po files), we can at least ensure a reproducible build process as Simon advocates here.

   • Embed this notice
     Janneke (janneke@todon.nl)'s status on Sunday, 07-Apr-2024 21:18:39 JST Janneke

     in reply to

     • Reproducible Builds

     @civodul @jas4711 Just posted V2; when this is merged, building the Guix source tarball is fully reproducible.

     https://issues.guix.gnu.org/70169/#21

     That sounds like a rather trivial effort, but #GNU standards mandate inclusion of pre-built documentation...and there seems to be a "let's add a timestamp" fetishism that has spread like a virus.

     There are several tools to change the timestamp of a PDF; and there is a specification (v1.7 I believe) that mandates the new timestamp to be *appended*. Which all of these tools now do.

     Probably @reproducible_builds should also move into standardization committies if we're ever going to get/keep our builds reproducible.
     #ReproducibleBuilds

     https://issues.guix.gnu.org/70169/#21

     Abhiseck Paira :gnu: :gnuhurd: repeated this.
   • Embed this notice
     Janneke (janneke@todon.nl)'s status on Sunday, 07-Apr-2024 21:18:41 JST Janneke

     in reply to

     @civodul @jas4711
     Resurrected and finished an old patch set for creating the Guix source tarball (make dist) reproducibly.

     https://issues.guix.gnu.org/70169/

   • Embed this notice
     Janneke (janneke@todon.nl)'s status on Sunday, 07-Apr-2024 21:18:43 JST Janneke

     in reply to

     @civodul @jas4711
     The benefits of Reproducible tarballs are a no-brainer to me.

     I've been carrying and developing reproducible source tarball patches for Autotools and GNU Mes for quite some time, party courtesy of Timothy Sample.

     I'm embarrassed and confused that after over 10y of Reproducible Builds, GNU and Autotools still need to get used to these ideas (and don't seem to make any progress at all).

   • Embed this notice
     Janneke (janneke@todon.nl)'s status on Sunday, 07-Apr-2024 21:19:17 JST Janneke

     in reply to

     • Reproducible Builds

     @civodul @jas4711 @reproducible_builds Yet another file format begetting delusions of grandeur and confusing itself with Git.

     Dear PDF, you were created from (La)TeX or ORG or whatnot, and that's already under version control. Get a grip.