From 5014555438834ff4559abd1b646537229146a67a Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <koszko@koszko.org>
Date: Tue, 18 Oct 2022 09:15:30 +0200
Subject: [builder][server][proxy] make generated tarballs reproducible

---
 .gitignore |  2 +-
 Makefile   | 67 ++++++++++++++++++++++++++++++++++++++++++++------------------
 2 files changed, 49 insertions(+), 20 deletions(-)

diff --git a/.gitignore b/.gitignore
index 63a911b..f24719d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -13,5 +13,5 @@ src/hydrilla/_version.py
 src/hydrilla/locales/messages.pot
 messages.mo
 make-release.log
-rel-tarball-repack
+*-tarball-repack
 haketilo-and-hydrilla-bin-*.tar.gz
diff --git a/Makefile b/Makefile
index 03e4454..00868a1 100644
--- a/Makefile
+++ b/Makefile
@@ -15,29 +15,54 @@ GUIX_TM = $(GUIX) time-machine --commit=$(GUIX_COMMIT) --
 
 GUIX_DEVSHELL = $(GUIX_TM) shell -Df guix.scm --
 
+GET_VER = $$(grep '^Version:' src/hydrilla.egg-info/PKG-INFO | cut -d' ' -f2)
+RECORD_VER = VER="$(GET_VER)"
+
+DETERMINISTIC_TAR = $(GUIX_TM) shell tar -- tar                             \
+	--mtime='1970-01-01 00:00Z'                                         \
+	--sort=name                                                         \
+	--owner=0 --group=0 --numeric-owner                                 \
+	--pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime
+
 wheel:
 	$(GUIX_DEVSHELL) python3 -m build
 
+# Make a source tarball and repack in a deterministic way so that its
+# reproducible.
 dist src/hydrilla/_version.py:
 	$(GUIX_DEVSHELL) python3 -m build -s
+	$(RECORD_VER) &&                                           \
+		RELNAME=hydrilla-"$$VER" &&                        \
+		DISTFILE=dist/"$$RELNAME".tar.gz &&                \
+		$(MAKE) clean-source-tarball-repack &&             \
+		mkdir source-tarball-repack/ &&                    \
+		tar -C source-tarball-repack/ -xf "$$DISTFILE" &&  \
+		$(DETERMINISTIC_TAR) -C source-tarball-repack/     \
+			-cf "$$DISTFILE" "$$RELNAME"
+	@printf "Generated source tarball in:\n"
+	@printf "./dist/hydrilla-$(GET_VER).tar.gz\n"
 
 # Make a release tarball and repack its files as writeable - this will make it
 # easier for non-technical users to remove the unpacked release once they no
 # longer need it.
-release: clean-tarball-repack dist
-	$(GUIX_TM) pack -L ./hydrilla-guix -RR hydrilla \
-		-S /hydrilla=bin/hydrilla \
-		-S /hydrilla-builder=bin/hydrilla-builder \
-		-S /hydrilla-server=bin/hydrilla-server \
+release: dist
+	$(GUIX_TM) pack -L ./hydrilla-guix -RR hydrilla          \
+		-S /hydrilla=bin/hydrilla                        \
+		-S /hydrilla-builder=bin/hydrilla-builder        \
+		-S /hydrilla-server=bin/hydrilla-server          \
 		-S /haketilo=bin/haketilo | tee make-release.log
-	VER="$$(grep '^Version:' src/hydrilla.egg-info/PKG-INFO | cut -d' ' -f2)" && \
-		RELNAME=haketilo-and-hydrilla-bin-"$$VER"-"$$(arch)" && \
-		PACKFILE="$$(tail -1 make-release.log)" && \
-		mkdir rel-tarball-repack/ && \
-		mkdir rel-tarball-repack/"$$RELNAME" && \
-		tar -C rel-tarball-repack/"$$RELNAME"/ -xf "$$PACKFILE" && \
-		chmod -R +w rel-tarball-repack/"$$RELNAME" && \
-		tar -C rel-tarball-repack/ -cf "$$RELNAME".tar.gz "$$RELNAME"
+	$(RECORD_VER) &&                                                   \
+		RELNAME=haketilo-and-hydrilla-bin-"$$VER"-"$$(arch)" &&    \
+		PACKFILE="$$(tail -1 make-release.log)" &&                 \
+		$(MAKE) clean-bin-tarball-repack &&                        \
+		mkdir bin-tarball-repack/ &&                               \
+		mkdir bin-tarball-repack/"$$RELNAME" &&                    \
+		tar -C bin-tarball-repack/"$$RELNAME"/ -xf "$$PACKFILE" && \
+		chmod -R +w bin-tarball-repack/"$$RELNAME" &&              \
+		$(DETERMINISTIC_TAR) -C bin-tarball-repack/                \
+			-cf "$$RELNAME".tar.gz "$$RELNAME"
+	@printf "Generated binary release tarball for $$(arch) in:\n"
+	@printf "./haketilo-and-hydrilla-bin-$(GET_VER)-$$(arch).tar.gz\n"
 
 shell:
 	$(GUIX_DEVSHELL) || true
@@ -58,16 +83,20 @@ test: src/hydrilla/_version.py catalogs
 run-haketilo: src/hydrilla/_version.py catalogs
 	PYTHONPATH=./src $(GUIX_DEVSHELL) python3 -m hydrilla.mitmproxy_launcher
 
-clean-tarball-repack:
-	test -d rel-tarball-repack/ && chmod -R +w rel-tarball-repack/ || true
-	rm -rf rel-tarball-repack/
+clean-bin-tarball-repack:
+	test -d bin-tarball-repack/ && chmod -R +w bin-tarball-repack/ || true
+	rm -rf bin-tarball-repack/
+
+clean-source-tarball-repack:
+	rm -rf source-tarball-repack/
 
-clean: clean-tarball-repack
+clean: clean-bin-tarball-repack clean-source-tarball-repack
 	rm -rf build/ dist/ src/hydrilla.egg-info src/hydrilla/_version.py \
-		src/hydrilla/locales/messages.pot make-release.log \
+		src/hydrilla/locales/messages.pot make-release.log         \
 		haketilo-and-hydrilla-bin-*.tar.gz
 	find src/hydrilla/locales/ -name "messages.mo" -delete
 	rm -rf $$(find -name "__pycache__")
 
 .PHONY: release shell shell-with-haketilo dist wheel catalogs refresh-catalogs \
-	test run-haketilo clean-tarball-repack clean
+	test run-haketilo clean-source-tarball-repack clean-bin-tarball-repack \
+	clean
-- 
cgit v1.2.3