Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
x/build/cmd/release: ensure fully reproducible builds, including tar.gz/zip archives #24904
Go already supports reproducible builds (with no action required), but our Go releases have .tar.gz/.zip archives that have timestamps.
We should probably make cmd/release also produce reproducible output and pin the archive file entry timestamps to the git commit time of the tagged commit we're building.
The buildlet sends a tarball to the x/build/cmd/release client.
The buildlet uses tar.FileInfoHeader.
The source on the buildlet ultimately comes from git (via git archive, via the gitmirror service, via the coordinator), but when the buildlet writes the git archive to disk, it clamps the file time to system time:
So it might all work for free today, assuming we have no files with future modtimes in the git repo.
But it's a little fragile.
It'd be nice if x/build/cmd/release enforced all the modtimes with something predictable, like using the same modtime for all files, picking the time of the git commit of the whole release.