support SOURCE_DATE_EPOCH to make gem spec reproducible #2278
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I'm not familiar with SOURCE_DATE_EPOCH environment variable. Is it major on the linux distribution like debian, fedora, archlinux? |
|
Yes, actually Debian folks invented it. Every bigger distro uses it in its (reproducible) build tools. Arch Linux will properly support it in makepkg with the upcoming release of pacman.
S_D_E became a defacto standard to deal with dates in build artifacts, adopted by tons of programs like gcc itself.
|
|
Does this actually make the generated tar files byte for byte equal? If that’s the goal, should we add test coverage for that? |
|
That could be a good general goal. For this PR I only targeted the generated gemspec stuff as that's what made the packages we ship in arch Linux unreproducible. We don't ship any tarballs directly just extract the final gem into a DESTDIR like folder to package it with the distro specific tools.
If you want to investigate further also on tarballs stuff, you should give "diffoscope" a shot it helps find what makes an artifact not reproducible bit by bit by analyzing its content.
|
|
@hsbt @segiddins So i took a look at the TarHeader and TarWriter stuff and I think its not hard to make it fully reproducible. |
duckinator
reviewed
May 9, 2018
lib/rubygems/specification.rb
Outdated
| # The date this gem was created. Lazily defaults to the current UTC date. | ||
| # The date this gem was created. Lazily defaults to the current UTC date or if | ||
| # SOURCE_DATE_EPOCH is set as an environment variable (unix timestamp) to | ||
| # support reproducible builds. |
There was a problem hiding this comment.
@anthraxx Thoughts on changing this to something like the following?
# The date this gem was created.
#
# If SOURCE_DATE_EPOCH is set as an environment variable, use that to support
# reproducible builds; otherwise, default to the current UTC date.
#
# Details on SOURCE_DATE_EPOCH:
# https://reproducible-builds.org/specs/source-date-epoch/
Optionally respect the SOURCE_DATE_EPOCH environment variable to be used instead of TODAY to allow reproducible builds of created gem specs. In case none is specified, fall back to the current time.
|
@anthraxx Thanks for your explanation. I prefer your idea. |
|
👍🏻 |
|
@bundlerbot r+ thanks for the PR, @anthraxx! |
|
📌 Commit 9fc4ca4 has been approved by |
bundlerbot
added a commit
that referenced
this pull request
May 12, 2018
support SOURCE_DATE_EPOCH to make gem spec reproducible Optionally respect the SOURCE_DATE_EPOCH environment variable to be used instead of TODAY to allow reproducible builds of created gem specs. In case none is specified, fall back to the current time. ______________ The problem is that using TODAY will change during time which makes created artifacts not reproducible (bit by bit identical). Spec: https://reproducible-builds.org/specs/source-date-epoch/ Buy-in: https://reproducible-builds.org/docs/buy-in/ # Tasks: - [x] Describe the problem / feature - [x] Write tests - [x] Write code to solve the problem - [x] Get code review from coworkers / friends I will abide by the [code of conduct](https://github.com/rubygems/rubygems/blob/master/CODE_OF_CONDUCT.md).
|
💔 Test failed - status-travis |
|
^ tm that doesn't look like i broke it 😼 |
|
@bundlerbot retry ¯\(ツ)/¯ |
bundlerbot
added a commit
that referenced
this pull request
May 12, 2018
support SOURCE_DATE_EPOCH to make gem spec reproducible Optionally respect the SOURCE_DATE_EPOCH environment variable to be used instead of TODAY to allow reproducible builds of created gem specs. In case none is specified, fall back to the current time. ______________ The problem is that using TODAY will change during time which makes created artifacts not reproducible (bit by bit identical). Spec: https://reproducible-builds.org/specs/source-date-epoch/ Buy-in: https://reproducible-builds.org/docs/buy-in/ # Tasks: - [x] Describe the problem / feature - [x] Write tests - [x] Write code to solve the problem - [x] Get code review from coworkers / friends I will abide by the [code of conduct](https://github.com/rubygems/rubygems/blob/master/CODE_OF_CONDUCT.md).
bundlerbot
added a commit
that referenced
this pull request
May 12, 2018
support SOURCE_DATE_EPOCH to make gem spec reproducible Optionally respect the SOURCE_DATE_EPOCH environment variable to be used instead of TODAY to allow reproducible builds of created gem specs. In case none is specified, fall back to the current time. ______________ The problem is that using TODAY will change during time which makes created artifacts not reproducible (bit by bit identical). Spec: https://reproducible-builds.org/specs/source-date-epoch/ Buy-in: https://reproducible-builds.org/docs/buy-in/ # Tasks: - [x] Describe the problem / feature - [x] Write tests - [x] Write code to solve the problem - [x] Get code review from coworkers / friends I will abide by the [code of conduct](https://github.com/rubygems/rubygems/blob/master/CODE_OF_CONDUCT.md).
|
☀️ Test successful - status-travis |
4 tasks
bundlerbot
added a commit
that referenced
this pull request
May 14, 2018
…hsbt support SOURCE_DATE_EPOCH to make gem tar reproducible Optionally respect the SOURCE_DATE_EPOCH environment variable to be used instead of Time.now to allow reproducible builds of created gem tarballs. In case none is specified, fall back to the current time. # Description: The problem is that using Time.now will change during time which makes created gem tarballs not reproducible (bit by bit identical). This is related to making the .gemspec file's itself reproducible: #2278 Spec: https://reproducible-builds.org/specs/source-date-epoch/ Buy-in: https://reproducible-builds.org/docs/buy-in/ ______________ # Tasks: - [x] Describe the problem / feature - [x] Write tests - [x] Write code to solve the problem - [x] Get code review from coworkers / friends I will abide by the [code of conduct](https://github.com/rubygems/rubygems/blob/master/CODE_OF_CONDUCT.md).
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Optionally respect the SOURCE_DATE_EPOCH environment variable to be used
instead of TODAY to allow reproducible builds of created gem specs.
In case none is specified, fall back to the current time.
The problem is that using TODAY will change during time which makes created artifacts not reproducible (bit by bit identical).
Spec:
https://reproducible-builds.org/specs/source-date-epoch/
Buy-in:
https://reproducible-builds.org/docs/buy-in/
Tasks:
I will abide by the code of conduct.