Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Archives created with --format tar.gz and --format zip aren't reproducible #31

Open
tjanez opened this issue Dec 23, 2015 · 4 comments
Open

Archives created with --format tar.gz and --format zip aren't reproducible #31

tjanez opened this issue Dec 23, 2015 · 4 comments

Comments

@tjanez
Copy link

tjanez commented Dec 23, 2015

I've created a simple Bash script reproducibility-test.sh to test the reproducibility of various --format options. I've also compared it to git's built-in archive command.

Here are sample results for a git repo with submodules:

[tadej@tlinux64 genesis]$ ./reproducibility-test.sh 
  adding: genjs.zip (stored 0%)
  adding: genjs.zip (stored 0%)
  adding: genjs.zip (stored 0%)
/tmp/reproducibility_test.WagXHM ~/Genialis/genesis
88baafe24913ccd6ec0945b1b3f4566b  git-archive-all-tar_only-1.tar
88baafe24913ccd6ec0945b1b3f4566b  git-archive-all-tar_only-2.tar
88baafe24913ccd6ec0945b1b3f4566b  git-archive-all-tar_only-3.tar
09f08547cfc2e70bfbae9d570583246e  git-archive-all-tar_with_gzip-1.tar.gz
71bdb10ddf853300f5a98bfe8eaa3b96  git-archive-all-tar_with_gzip-2.tar.gz
3e0d95d0f2dcc4385d5d6deec58b7ef4  git-archive-all-tar_with_gzip-3.tar.gz
06181cf449d7137817d84c3826e64b0b  git-archive-all-zip-1.zip
8681020a6fde7e750419b6e821ad2d9b  git-archive-all-zip-2.zip
c4b9933c33c0e9c4e7bac35cf23f7294  git-archive-all-zip-3.zip
97bafb747b169297f1ebf488dcc9ae5c  git-archive-tar_only-1.tar
97bafb747b169297f1ebf488dcc9ae5c  git-archive-tar_only-2.tar
97bafb747b169297f1ebf488dcc9ae5c  git-archive-tar_only-3.tar
d2c5692100208019da62f26ddb1719a0  git-archive-tar_with_gzip-1.tar.gz
d2c5692100208019da62f26ddb1719a0  git-archive-tar_with_gzip-2.tar.gz
d2c5692100208019da62f26ddb1719a0  git-archive-tar_with_gzip-3.tar.gz
7a1cb6286609909a50b162105ef13eee  git-archive-zip-1.zip
7a1cb6286609909a50b162105ef13eee  git-archive-zip-2.zip
7a1cb6286609909a50b162105ef13eee  git-archive-zip-3.zip
~/Genialis/genesis
[tadej@tlinux64 genesis]$

As can be seen from the results, git's built-in archive command always creates reproducible archives, regardless of the --format option.

On the contrary, git-archive-all.sh only creates reproducible archives with the --format tar option.
@fabacab
Copy link
Owner

fabacab commented Dec 23, 2015

Huh. What happens if you add the -n (--no-name) switch to the various calls to gzip? Per the gzip manual page:

-n, --no-name This option stops the filename and timestamp from being stored in the output file.

Could perhaps the timestamp added to the gzip file header be causing a discrepancy?

@Mic92
Copy link

Mic92 commented May 2, 2020

You can export GZIP=-n https://github.com/NixOS/nixpkgs/pull/86493/files#diff-f98fdb70c813cc44cd5600f4a059ee25R36 to avoid the behavior in gzip.

@tjanez
Copy link
Author

tjanez commented May 2, 2020
edited by fabacab
Loading

@Mic92, thanks for the tip. I can confirm this works:

[tadej@toronto temp-repo ]$ bash reproducibility-test.sh 
  adding: deps.nanos-secure-sdk.zip (stored 0%)
  adding: deps.nanos-secure-sdk.zip (stored 0%)
  adding: deps.nanos-secure-sdk.zip (stored 0%)
/tmp/reproducibility_test.KCTWSH ~/Oasis/Code/temp-repo
34427bca560a05c29d2e995f61ca6135  git-archive-all-tar_only-1.tar
34427bca560a05c29d2e995f61ca6135  git-archive-all-tar_only-2.tar
34427bca560a05c29d2e995f61ca6135  git-archive-all-tar_only-3.tar
9e8ad93c340e461bac1221b56ab2f5fc  git-archive-all-tar_with_gzip-1.tar.gz
3871d7b6d7892c11cb4457ea3c6e92f6  git-archive-all-tar_with_gzip-2.tar.gz
f6f64056785b0992b4915280759cabc3  git-archive-all-tar_with_gzip-3.tar.gz
45ff56c8dc74bf87e4f40d33259df99d  git-archive-all-zip-1.zip
23e5dbf69ae9c82f781ec99057c24e12  git-archive-all-zip-2.zip
b3c4b14a9fc6c20ec2791fae61101acf  git-archive-all-zip-3.zip
0ef4923f0362ce95a8488db78ccc9b39  git-archive-tar_only-1.tar
0ef4923f0362ce95a8488db78ccc9b39  git-archive-tar_only-2.tar
0ef4923f0362ce95a8488db78ccc9b39  git-archive-tar_only-3.tar
e6b1f0ccb3b5748b092be95f6243dd2d  git-archive-tar_with_gzip-1.tar.gz
e6b1f0ccb3b5748b092be95f6243dd2d  git-archive-tar_with_gzip-2.tar.gz
e6b1f0ccb3b5748b092be95f6243dd2d  git-archive-tar_with_gzip-3.tar.gz
0f71dceb03f97eab4cf1d347f5243030  git-archive-zip-1.zip
0f71dceb03f97eab4cf1d347f5243030  git-archive-zip-2.zip
0f71dceb03f97eab4cf1d347f5243030  git-archive-zip-3.zip
~/Oasis/Code/temp-repo
[tadej@toronto temp-repo ]$ export GZIP=-n
[tadej@toronto temp-repo ]$ bash reproducibility-test.sh 
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
  adding: deps.nanos-secure-sdk.zip (stored 0%)
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
  adding: deps.nanos-secure-sdk.zip (stored 0%)
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
gzip: warning: GZIP environment variable is deprecated; use an alias or script
  adding: deps.nanos-secure-sdk.zip (stored 0%)
gzip: warning: GZIP environment variable is deprecated; use an alias or script
/tmp/reproducibility_test.Ag3Tyw ~/Oasis/Code/temp-repo
34427bca560a05c29d2e995f61ca6135  git-archive-all-tar_only-1.tar
34427bca560a05c29d2e995f61ca6135  git-archive-all-tar_only-2.tar
34427bca560a05c29d2e995f61ca6135  git-archive-all-tar_only-3.tar
6715c58bdb8155b0b9e4290e4d47a56b  git-archive-all-tar_with_gzip-1.tar.gz
6715c58bdb8155b0b9e4290e4d47a56b  git-archive-all-tar_with_gzip-2.tar.gz
6715c58bdb8155b0b9e4290e4d47a56b  git-archive-all-tar_with_gzip-3.tar.gz
c21a2a6e3caa4fcbc41e5fc33e3a3a4e  git-archive-all-zip-1.zip
8f6f6b4b78f5b84344d68c20d17d5c91  git-archive-all-zip-2.zip
69972e9349acf85479becd4e805e4549  git-archive-all-zip-3.zip
0ef4923f0362ce95a8488db78ccc9b39  git-archive-tar_only-1.tar
0ef4923f0362ce95a8488db78ccc9b39  git-archive-tar_only-2.tar
0ef4923f0362ce95a8488db78ccc9b39  git-archive-tar_only-3.tar
e6b1f0ccb3b5748b092be95f6243dd2d  git-archive-tar_with_gzip-1.tar.gz
e6b1f0ccb3b5748b092be95f6243dd2d  git-archive-tar_with_gzip-2.tar.gz
e6b1f0ccb3b5748b092be95f6243dd2d  git-archive-tar_with_gzip-3.tar.gz
0f71dceb03f97eab4cf1d347f5243030  git-archive-zip-1.zip
0f71dceb03f97eab4cf1d347f5243030  git-archive-zip-2.zip
0f71dceb03f97eab4cf1d347f5243030  git-archive-zip-3.zip
~/Oasis/Code/temp-repo

adding -n switch to gzip calls would make gzipped tarballs reproducible.

@LecrisUT
Copy link

I think this should just be added in by default. In the script

@LecrisUT LecrisUT mentioned this issue Jun 15, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fabacab @Mic92 @tjanez @LecrisUT