[tor-bugs] #31264 [Applications/rbm]: tar.gz output files contain nonreproducible timestamps
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Jul 30 00:42:54 UTC 2019
#31264: tar.gz output files contain nonreproducible timestamps
------------------------+----------------------------------
Reporter: JeremyRand | Owner: boklm
Type: defect | Status: new
Priority: Medium | Component: Applications/rbm
Version: | Severity: Normal
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------+----------------------------------
Steps to reproduce:
Run the following command twice:
./rbm/rbm build gocompress --target nightly --target torbrowser-linux-
x86_64
Expected results:
The output .tar.gz files should be identical.
Observed results:
The gzip header contains different timestamps per build, based on when the
build was done. See the following Diffoscope:
https://try.diffoscope.org/kpqdeyggzdec.html
Text version of Diffoscope output in case the above link expires:
--- a/gocompress-cc9eb1d7ad76-linux-x86_64-4fd18e.tar.gz
+++ b/gocompress-cc9eb1d7ad76-linux-x86_64-4fd18e.tar.gz
├── filetype from file(1)
│ @@ -1 +1 @@
│ -gzip compressed data, last modified: Tue Jul 30 00:09:03 2019, from
Unix, original size 20551680
│ +gzip compressed data, last modified: Tue Jul 30 00:11:48 2019, from
Unix, original size 20551680
Other notes:
Switching from .tar.gz to .tar.xz fixes the issue and results in
reproducible binaries. Given that .xz has much better compression than
.gz and (AFAIK) is usually readily available on GNU/Linux and macOS
systems just like .gz, my recommendation is to simply switch the .tar.gz
to .tar.xz in tor-browser-build, and add a warning to the "tar" entry in
rbm's options_misc.asc saying that using .gz compression should not be
used because it will break reproducibility.
Since this issue affects both rbm and Tor Browser, I'm not sure which
component to select for this ticket. I'm going with rbm, but feel free to
change that if you like. Or feel free to split it into 2 tickets if that
makes it easier to make sure that both components get a fix.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31264>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list