From 6437978c1514f819b53aed45deb6ece6666ffd1c Mon Sep 17 00:00:00 2001 From: Lars Erik Wik Date: Thu, 28 May 2026 11:00:32 +0200 Subject: [PATCH] Makefile.am: Make the source and package tarballs reproducible * Add --sort=name to the exported TAR_OPTIONS so $(am__tar) emits members in a stable order for both "make dist" and "make tar-package". * In dist-hook, normalize directory permissions to 755 and, when SOURCE_DATE_EPOCH is set, clamp every mtime to it. * In tar-package, clamp staged file mtimes to SOURCE_DATE_EPOCH and pass -n to gzip so the gzip header carries no timestamp. Ticket: ENT-14061 Signed-off-by: Lars Erik Wik --- Makefile.am | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/Makefile.am b/Makefile.am index ab9e6c0c24..5f8591e9f5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,13 +9,21 @@ masterfilesdir=$(prefix)/masterfiles EXTRA_DIST = README.md inventory/README.md lib/README.md CONTRIBUTING.md LICENSE CFVERSION modules/promises -# Do not reveal usernames of the buildslave -TAR_OPTIONS = --owner=0 --group=0 +# Do not reveal usernames of the buildslave, and emit members in a stable +# order so two builds of the same source tree produce an identical tarball. +TAR_OPTIONS = --owner=0 --group=0 --sort=name export TAR_OPTIONS -# Store the permissions properly in the tarball for acceptance tests to succeed +# Store the permissions properly in the tarball for acceptance tests to succeed. +# Also normalize directory permissions (which otherwise leak the builder's +# umask) and, when SOURCE_DATE_EPOCH is set, clamp every mtime to it so the +# "make dist" source tarball is reproducible. dist-hook: find $(distdir) -name '*.cf*' | xargs chmod go-w + find $(distdir) -type d -exec chmod 755 {} + + if [ -n "$$SOURCE_DATE_EPOCH" ]; then \ + find $(distdir) -exec touch -d @$$SOURCE_DATE_EPOCH {} + ; \ + fi tar-package: pkgdir=`mktemp -d` && export pkgdir && \ @@ -24,8 +32,11 @@ tar-package: $(MAKE) prefix=$$pkgdir install && \ ( cd $$pkgdir && \ find . -name '*.cf*' | xargs -n1 chmod go-w && \ + if [ -n "$$SOURCE_DATE_EPOCH" ]; then \ + find . -exec touch -d @$$SOURCE_DATE_EPOCH {} + ; \ + fi && \ tardir=. && $(am__tar) | \ - GZIP=$(GZIP_ENV) gzip -c \ + GZIP=$(GZIP_ENV) gzip -nc \ > "$$origdir"/$(PACKAGE)-$(VERSION)-$(RELEASE).pkg.tar.gz \ ) ; \ [ x$$pkgdir != x ] && rm -rf $$pkgdir