New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support reproducible builds #495

Merged
merged 1 commit into from Dec 7, 2017

Conversation

Projects
None yet
2 participants
@Foxboron
Contributor

Foxboron commented Dec 6, 2017

Currently packaging gopass for Arch Linux into our repositories, and noticed there is an embedded build time that gets added. To get gopass reproducible it needs to adhere to SOURCE_DATE_EPOCH as documented by the reproducible builds project; https://reproducible-builds.org/docs/timestamps/

This patch adds the needed changes to the Makefile to achieve this. The logs below shows gopass built twice with the supplied patch.

λ fox@hackbook gopass » stat build1/gopass-1.6.2-1-x86_64.pkg.tar.xz
  File: build1/gopass-1.6.2-1-x86_64.pkg.tar.xz
  Size: 2870768   	Blocks: 5608       IO Block: 4096   regular file
Device: 17h/23d	Inode: 22830789    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/     fox)   Gid: ( 1000/     fox)
Access: 2017-12-07 00:46:03.021118052 +0100
Modify: 2017-12-07 00:45:24.557331147 +0100
Change: 2017-12-07 00:45:24.693999423 +0100
 Birth: -
λ fox@hackbook gopass » stat build2/gopass-1.6.2-1-x86_64.pkg.tar.xz
  File: build2/gopass-1.6.2-1-x86_64.pkg.tar.xz
  Size: 2870768   	Blocks: 5608       IO Block: 4096   regular file
Device: 17h/23d	Inode: 22831712    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/     fox)   Gid: ( 1000/     fox)
Access: 2017-12-07 00:47:26.365437312 +0100
Modify: 2017-12-07 00:46:02.797782082 +0100
Change: 2017-12-07 00:46:02.944450480 +0100
 Birth: -
λ fox@hackbook gopass » sha256sum build1/* build2/*
1ce072496c232de8857ef0b1acfbe150720cd513ae0b7cf80970a2d137af3886  build1/gopass-1.6.2-1-x86_64.pkg.tar.xz
1ce072496c232de8857ef0b1acfbe150720cd513ae0b7cf80970a2d137af3886  build2/gopass-1.6.2-1-x86_64.pkg.tar.xz

Build logs from a WIP tool: http://ix.io/CRr

Support reproducible builds
Embedded timestamps should adhere to SOURCE_DATE_EPOCH if present
as documented at https://reproducible-builds.org/docs/timestamps/

@dominikschulz dominikschulz self-requested a review Dec 7, 2017

@dominikschulz

This comment has been minimized.

Show comment
Hide comment
@dominikschulz

dominikschulz Dec 7, 2017

Contributor

Pretty nice, thank you!
I just want to refresh my memory on reproducible builds before merging this.

Contributor

dominikschulz commented Dec 7, 2017

Pretty nice, thank you!
I just want to refresh my memory on reproducible builds before merging this.

@dominikschulz

LGTM, Thank you!

@dominikschulz dominikschulz merged commit 49c0b05 into gopasspw:master Dec 7, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@Foxboron

This comment has been minimized.

Show comment
Hide comment
@Foxboron

Foxboron Dec 16, 2017

Contributor

@dominikschulz Small headsup that i have added gopass to our community repos: https://www.archlinux.org/packages/community/x86_64/gopass/

Contributor

Foxboron commented Dec 16, 2017

@dominikschulz Small headsup that i have added gopass to our community repos: https://www.archlinux.org/packages/community/x86_64/gopass/

@dominikschulz

This comment has been minimized.

Show comment
Hide comment
@dominikschulz

dominikschulz Dec 16, 2017

Contributor

Amazing, thank you very much!

Contributor

dominikschulz commented Dec 16, 2017

Amazing, thank you very much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment