[tor-bugs] #31264 [Applications/rbm]: tar.gz output files contain nonreproducible timestamps

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 30 00:42:54 UTC 2019 

#31264: tar.gz output files contain nonreproducible timestamps
------------------------+----------------------------------
 Reporter:  JeremyRand  |          Owner:  boklm
     Type:  defect      |         Status:  new
 Priority:  Medium      |      Component:  Applications/rbm
  Version:              |       Severity:  Normal
 Keywords:              |  Actual Points:
Parent ID:              |         Points:
 Reviewer:              |        Sponsor:
------------------------+----------------------------------
 Steps to reproduce:

 Run the following command twice:

 ./rbm/rbm build gocompress --target nightly --target torbrowser-linux-
 x86_64

 Expected results:

 The output .tar.gz files should be identical.

 Observed results:

 The gzip header contains different timestamps per build, based on when the
 build was done.  See the following Diffoscope:

 https://try.diffoscope.org/kpqdeyggzdec.html

 Text version of Diffoscope output in case the above link expires:

 --- a/gocompress-cc9eb1d7ad76-linux-x86_64-4fd18e.tar.gz
 +++ b/gocompress-cc9eb1d7ad76-linux-x86_64-4fd18e.tar.gz
 ├── filetype from file(1)
 │ @@ -1 +1 @@
 │ -gzip compressed data, last modified: Tue Jul 30 00:09:03 2019, from
 Unix, original size 20551680
 │ +gzip compressed data, last modified: Tue Jul 30 00:11:48 2019, from
 Unix, original size 20551680

 Other notes:

 Switching from .tar.gz to .tar.xz fixes the issue and results in
 reproducible binaries.  Given that .xz has much better compression than
 .gz and (AFAIK) is usually readily available on GNU/Linux and macOS
 systems just like .gz, my recommendation is to simply switch the .tar.gz
 to .tar.xz in tor-browser-build, and add a warning to the "tar" entry in
 rbm's options_misc.asc saying that using .gz compression should not be
 used because it will break reproducibility.

 Since this issue affects both rbm and Tor Browser, I'm not sure which
 component to select for this ticket.  I'm going with rbm, but feel free to
 change that if you like.  Or feel free to split it into 2 tickets if that
 makes it easier to make sure that both components get a fix.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31264>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list