From 5014555438834ff4559abd1b646537229146a67a Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Tue, 18 Oct 2022 09:15:30 +0200 Subject: [builder][server][proxy] make generated tarballs reproducible --- .gitignore | 2 +- Makefile | 67 ++++++++++++++++++++++++++++++++++++++++++++------------------ 2 files changed, 49 insertions(+), 20 deletions(-) diff --git a/.gitignore b/.gitignore index 63a911b..f24719d 100644 --- a/.gitignore +++ b/.gitignore @@ -13,5 +13,5 @@ src/hydrilla/_version.py src/hydrilla/locales/messages.pot messages.mo make-release.log -rel-tarball-repack +*-tarball-repack haketilo-and-hydrilla-bin-*.tar.gz diff --git a/Makefile b/Makefile index 03e4454..00868a1 100644 --- a/Makefile +++ b/Makefile @@ -15,29 +15,54 @@ GUIX_TM = $(GUIX) time-machine --commit=$(GUIX_COMMIT) -- GUIX_DEVSHELL = $(GUIX_TM) shell -Df guix.scm -- +GET_VER = $$(grep '^Version:' src/hydrilla.egg-info/PKG-INFO | cut -d' ' -f2) +RECORD_VER = VER="$(GET_VER)" + +DETERMINISTIC_TAR = $(GUIX_TM) shell tar -- tar \ + --mtime='1970-01-01 00:00Z' \ + --sort=name \ + --owner=0 --group=0 --numeric-owner \ + --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime + wheel: $(GUIX_DEVSHELL) python3 -m build +# Make a source tarball and repack in a deterministic way so that its +# reproducible. dist src/hydrilla/_version.py: $(GUIX_DEVSHELL) python3 -m build -s + $(RECORD_VER) && \ + RELNAME=hydrilla-"$$VER" && \ + DISTFILE=dist/"$$RELNAME".tar.gz && \ + $(MAKE) clean-source-tarball-repack && \ + mkdir source-tarball-repack/ && \ + tar -C source-tarball-repack/ -xf "$$DISTFILE" && \ + $(DETERMINISTIC_TAR) -C source-tarball-repack/ \ + -cf "$$DISTFILE" "$$RELNAME" + @printf "Generated source tarball in:\n" + @printf "./dist/hydrilla-$(GET_VER).tar.gz\n" # Make a release tarball and repack its files as writeable - this will make it # easier for non-technical users to remove the unpacked release once they no # longer need it. -release: clean-tarball-repack dist - $(GUIX_TM) pack -L ./hydrilla-guix -RR hydrilla \ - -S /hydrilla=bin/hydrilla \ - -S /hydrilla-builder=bin/hydrilla-builder \ - -S /hydrilla-server=bin/hydrilla-server \ +release: dist + $(GUIX_TM) pack -L ./hydrilla-guix -RR hydrilla \ + -S /hydrilla=bin/hydrilla \ + -S /hydrilla-builder=bin/hydrilla-builder \ + -S /hydrilla-server=bin/hydrilla-server \ -S /haketilo=bin/haketilo | tee make-release.log - VER="$$(grep '^Version:' src/hydrilla.egg-info/PKG-INFO | cut -d' ' -f2)" && \ - RELNAME=haketilo-and-hydrilla-bin-"$$VER"-"$$(arch)" && \ - PACKFILE="$$(tail -1 make-release.log)" && \ - mkdir rel-tarball-repack/ && \ - mkdir rel-tarball-repack/"$$RELNAME" && \ - tar -C rel-tarball-repack/"$$RELNAME"/ -xf "$$PACKFILE" && \ - chmod -R +w rel-tarball-repack/"$$RELNAME" && \ - tar -C rel-tarball-repack/ -cf "$$RELNAME".tar.gz "$$RELNAME" + $(RECORD_VER) && \ + RELNAME=haketilo-and-hydrilla-bin-"$$VER"-"$$(arch)" && \ + PACKFILE="$$(tail -1 make-release.log)" && \ + $(MAKE) clean-bin-tarball-repack && \ + mkdir bin-tarball-repack/ && \ + mkdir bin-tarball-repack/"$$RELNAME" && \ + tar -C bin-tarball-repack/"$$RELNAME"/ -xf "$$PACKFILE" && \ + chmod -R +w bin-tarball-repack/"$$RELNAME" && \ + $(DETERMINISTIC_TAR) -C bin-tarball-repack/ \ + -cf "$$RELNAME".tar.gz "$$RELNAME" + @printf "Generated binary release tarball for $$(arch) in:\n" + @printf "./haketilo-and-hydrilla-bin-$(GET_VER)-$$(arch).tar.gz\n" shell: $(GUIX_DEVSHELL) || true @@ -58,16 +83,20 @@ test: src/hydrilla/_version.py catalogs run-haketilo: src/hydrilla/_version.py catalogs PYTHONPATH=./src $(GUIX_DEVSHELL) python3 -m hydrilla.mitmproxy_launcher -clean-tarball-repack: - test -d rel-tarball-repack/ && chmod -R +w rel-tarball-repack/ || true - rm -rf rel-tarball-repack/ +clean-bin-tarball-repack: + test -d bin-tarball-repack/ && chmod -R +w bin-tarball-repack/ || true + rm -rf bin-tarball-repack/ + +clean-source-tarball-repack: + rm -rf source-tarball-repack/ -clean: clean-tarball-repack +clean: clean-bin-tarball-repack clean-source-tarball-repack rm -rf build/ dist/ src/hydrilla.egg-info src/hydrilla/_version.py \ - src/hydrilla/locales/messages.pot make-release.log \ + src/hydrilla/locales/messages.pot make-release.log \ haketilo-and-hydrilla-bin-*.tar.gz find src/hydrilla/locales/ -name "messages.mo" -delete rm -rf $$(find -name "__pycache__") .PHONY: release shell shell-with-haketilo dist wheel catalogs refresh-catalogs \ - test run-haketilo clean-tarball-repack clean + test run-haketilo clean-source-tarball-repack clean-bin-tarball-repack \ + clean -- cgit v1.2.3