From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS22989 209.51.188.0/24 X-Spam-Status: No, score=-3.7 required=3.0 tests=AWL,BAYES_00,DKIM_INVALID, DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS shortcircuit=no autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id EBBFD1F47C for ; Sun, 15 Jan 2023 13:21:34 +0000 (UTC) Authentication-Results: dcvr.yhbt.net; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=clisp.org header.i=@clisp.org header.a=rsa-sha256 header.s=strato-dkim-0002 header.b=TLNbdQLq; dkim-atps=neutral Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pH2wn-0006QG-8T; Sun, 15 Jan 2023 08:21:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pH2wl-0006Q7-AC for bug-gnulib@gnu.org; Sun, 15 Jan 2023 08:21:15 -0500 Received: from mo4-p00-ob.smtp.rzone.de ([85.215.255.21]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pH2wi-0006zw-0R for bug-gnulib@gnu.org; Sun, 15 Jan 2023 08:21:14 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1673788862; cv=none; d=strato.com; s=strato-dkim-0002; b=QYcu69Glqt2d3fwkZjUHZPrPLYLBGJYJ+VqxiaJSh72bBPbfEG4VtUG/TGGGa03LTR bOlrJs1aYQljyhV59f20spuGtKoNPkf2J5SPflsDddu0U6SxKFUBtAo9H3l0OVv+hYes 001RCCkMCZKvowFU3LBWdbs9HMz3VMXq4FH4IMDtM9gQNjSVSznFUcFb8URnMAALC/CJ l3tP2p47MpqyfgX3A+fNrf05NS2AbVn7To+SmAIRGv68RateARjCIZsB4GaMKzCz5TFx JVNlKMwHltWoGJ0D1cIpmEGC1FV4Eum0J4xcGIKF7KhgB3AA4DGJGMC/WyrGpajlg8On bTPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1673788862; s=strato-dkim-0002; d=strato.com; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=hecLmdriXfEca+kvSlEX+npaYmKh0pJFE3Qwug24C8Y=; b=WgPfCxiDwJjrD6e9N/p8l+ocPytH0tO5zk642d7JNCyEBnhI59L5HNnYVfmdbbd1gU Re04nzWSuFc/3qIPd93A5ZK5faBht+bS6AcbmDvkBxjWLWy/vbKk8YrOv9a94sJrzMrZ hBZ+1eA/y7XgpJuoEp5nnYh+6Hlf7B1010e4Fb1nB16oJ/PuT8jcC2iZ+b6Z1lrV43gO Dj+4j+jDTxth0ec1Tf48OwjqILpD+7ZHbbMxAtN7QidlXWGTREZGOSaYajK1EEd2/KoD JF9/UNwf3DBR/LhbT3OE5n0dj5sOxkNBJ1wmyD/2O/CBWzr5JeXauQkXE4p0BPRk8lbN RXuA== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1673788862; s=strato-dkim-0002; d=clisp.org; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=hecLmdriXfEca+kvSlEX+npaYmKh0pJFE3Qwug24C8Y=; b=TLNbdQLqZ+0y7Wg6psIwXvDD6iCblWhqymcJjKMkPsmONoVGMj7SzgFnuujd0b6L/V Y8myOe+DfyC7tzXLY8Cff12qQTA8H7GJ89n2g+/xqut2iWqLAvIRTscnHUVqCUgD14Ro UlzMuABygFD8QacgZBdyg9CFpew9+lpfNwvzUY9QmjKmDvwcGiuT1kOy+p9WnFNUq/IJ ruQ3+6olLT7Sh+eLS/oneq6iTaArSApX+878Q1t93SJM6usNTQhZRXlUVtDgl1WQwW59 zjMNer3qb1lZo3y7ghQ9O5QxSlgS4LargVFuEPnyCq2nArMGlbFG8bfEanEWvpf8PP2h AvFA== X-RZG-AUTH: ":Ln4Re0+Ic/6oZXR1YgKryK8brlshOcZlIWs+iCP5vnk6shH0WWb0LN8XZoH94zq68+3cfpOSjfw0m4uruXlh4Gg94mBBqhqR" Received: from nimes.localnet by smtp.strato.de (RZmta 48.6.2 AUTH) with ESMTPSA id I8f358z0FDL1Hum (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Sun, 15 Jan 2023 14:21:01 +0100 (CET) From: Bruno Haible To: bug-gnulib@gnu.org Cc: Simon Josefsson Subject: Re: RFC: git-commit based mtime-reproducible tarballs Date: Sun, 15 Jan 2023 14:21:01 +0100 Message-ID: <5459006.YCjZZlMYnJ@nimes> In-Reply-To: <87lem4cb9v.fsf@josefsson.org> References: <87h6wtgmhy.fsf__22556.7857896507$1673713908$gmane$org@redhat.com> <87lem4cb9v.fsf@josefsson.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Received-SPF: none client-ip=85.215.255.21; envelope-from=bruno@clisp.org; helo=mo4-p00-ob.smtp.rzone.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: bug-gnulib@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gnulib discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Sender: bug-gnulib-bounces+normalperson=yhbt.net@gnu.org Hi Simon, > > This attempts to make > > reproducible tarballs by sorting the files and passing the > > "--mtime=3D" option to tar. ... > Having the same mtime on all files in a tarball =46irst question: What is the point of doing that? Reproducibility is about verifying that an artifact A was generated from a source S. When I, as a GNU maintainer or uploader, create a tarball and upload it to ftp.gnu.org, that tarball is the source S. Because that's what I sign with my GPG key. The commits in the git repo aren't the source, and even the git checkout on my disk aren't the source =E2=80=94 because I am free to unpack and repack the tarball as I like, before I upload it to ftp.gnu.org. When someone runs a complex build on possibly untrusted servers in the cloud, then it makes sense to view the tarball as an artifact A and the git repository as the source S. (If the git repository is hosted elsewhere. If the git repository is being hosted on the same untrusted servers, it is not sufficient.) As a consequence, please make such modifications dependent on an option or environment variable (maybe SOURCE_DATE_EPOCH [1]?); don't activate them for everyone. > 1) Having the same mtime on all files in a tarball may cause problems Definitely. HP-UX 'make' attempts to rebuilds a file Y that depends on a file X, if Y and X have the same timestamp (mtime). It is long known that you have to have actually different timestamps for some files. Bruno [1] https://reproducible-builds.org/docs/source-date-epoch/