All,

I have pushed out a new gnulib-20250729.bundle snapshot:

https://ftp.gnu.org/gnu/gnulib/

I was able to bit-by-bit-identically reproduce it on a separate machine,
based on earlier feedback from the git community about `git repack
-adf`, and wrote a little about that process:

https://blog.josefsson.org/2025/07/31/independently-reproducible-git-bundles/

I pushed the attached documentation patch to update the release recipe
in the manual...

...but unfortunately adding that commit to the git repository broke
reproducibility of the git bundle, at least in my initial experiments
using the commands from the manual.  Still this is progress compared to
last time, where I wasn't even able to reproduce the bundle on a
different machine myself.  More research is needed here.

/Simon
From 6bb58afd0e0c21a5260a3a5b4a2dc94e8e2e2a6d Mon Sep 17 00:00:00 2001
From: Simon Josefsson <si...@josefsson.org>
Date: Thu, 31 Jul 2025 16:21:30 +0200
Subject: [PATCH] doc: Improvements for gnulib git bundle.

* doc/gnulib-git-bundle.texi (Gnulib Git Bundle): Add 20250729 release.
Improve reproducibility instructions.
---
 ChangeLog                  |  6 ++++
 doc/gnulib-git-bundle.texi | 60 +++++++++++++++++++++-----------------
 2 files changed, 40 insertions(+), 26 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6bde98b7af..8065c90e03 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2025-07-31  Simon Josefsson  <si...@josefsson.org>
+
+	doc: Improvements for gnulib git bundle.
+	* doc/gnulib-git-bundle.texi (Gnulib Git Bundle): Add 20250729 release.
+	Improve reproducibility instructions.
+
 2025-07-29  Collin Funk  <collin.fu...@gmail.com>
 
 	announce-gen: Support all non-deprecated Automake dist formats.
diff --git a/doc/gnulib-git-bundle.texi b/doc/gnulib-git-bundle.texi
index dc4e66f832..f80f0d3f2a 100644
--- a/doc/gnulib-git-bundle.texi
+++ b/doc/gnulib-git-bundle.texi
@@ -3,44 +3,46 @@
 
 To provide a serialized archival copy of the Gnulib Git repository we
 publish Git Bundles (@url{https://git-scm.com/docs/git-bundle}) of
-Gnulib at @url{https://ftp.gnu.org/gnu/gnulib/}.  These may be useful if
-Savannah happens to be offline or if you want to have a GnuPG signed
-confirmation of the Gnulib content.
+Gnulib at @url{https://ftp.gnu.org/gnu/gnulib/}.  These may be useful
+if Savannah happens to be offline or if you want to have a GnuPG
+signed confirmation of the Gnulib content.
 
 The files are named like @code{gnulib-YYYYMMDD.bundle}, for example
-@code{gnulib-20250303.bundle}, where @code{YYYYMMDD} corresponds to
+@code{gnulib-20250729.bundle}, where @code{YYYYMMDD} corresponds to
 the Git commit date (in UTC0) of the last commit on the @code{master}
 branch in the bundle.
 
-Next to the Git Bundle is a PGP signature on the file, named
-@code{gnulib-YYYYMMDD.bundle.sig}, which can be verified using GnuPG
-as usual:
+After downloading the Git bundle you may use it to create a local
+gnulib clone using normal Git commands:
 
 @example
-gpg --verify gnulib-20250303.bundle.sig
+wget -nv https://ftp.gnu.org/gnu/gnulib/gnulib-20250729.bundle
+git clone gnulib-20250729.bundle gnulib
+cd gnulib
 @end example
 
-Or using the simpler @code{gpgv} tool like this:
+Below are SHA-256 checksums of known releases:
 
 @example
-gpgv gnulib-20250303.bundle.sig gnulib-20250303.bundle
+9dae009ef9dd7cff17b74c0cda5d7a423e2ed98b4f5b7aa29a970565b0591c06  gnulib-20250303.bundle
+f01e423a7ef6b48e947fabd24bb11744204f4549342416e15dc64f427caa32e2  gnulib-20250729.bundle
 @end example
 
-After downloading the Git bundle you may use it to create a local
-gnulib clone using normal Git commands:
+Next to the Git Bundle is a GnuPG signature on the file, named
+@code{gnulib-YYYYMMDD.bundle.sig}, which can be verified using GnuPG
+as usual:
 
 @example
-git clone /path/to/your/gnulib-20250303.bundle gnulib
-cd gnulib
+gpg --verify gnulib-20250729.bundle.sig
 @end example
 
-Below are SHA-256 checksums of known releases:
+Or using the simpler @code{gpgv} tool like this:
 
 @example
-9dae009ef9dd7cff17b74c0cda5d7a423e2ed98b4f5b7aa29a970565b0591c06  gnulib-20250303.bundle
+gpgv gnulib-20250729.bundle.sig gnulib-20250729.bundle
 @end example
 
-The following PGP keys have signed releases:
+The following GnuPG keys have signed releases:
 
 @example
 sec>  ed25519 2019-03-20 [SC] https://josefsson.org/key-20190320.txt
@@ -48,24 +50,30 @@ sec>  ed25519 2019-03-20 [SC] https://josefsson.org/key-20190320.txt
 uid           [ultimate] Simon Josefsson <simon@@josefsson.org>
 @end example
 
-We desire that the Gnulib Git bundles are bit-by-bit reproducible,
-however we do not know how to achieve this.  Currently gnulib
-maintainers may invoke the following commands to prepare and upload a
-Gnulib git bundle.  We appreciate ideas on how to improve these set of
-commands (or the upstream Git tool) so that the bundle may be
-bit-by-bit reproducible by anyone.
+We desire that the Gnulib Git bundles will be forever bit-by-bit
+reproducible for others from the official git repository.  Currently
+gnulib maintainers may invoke the following commands to prepare and
+upload a Gnulib git bundle.  We appreciate ideas on how to improve
+these set of commands (or the upstream Git tool) to make further
+supply-chain security related improvements.
 
 @example
 cd $(mktemp -d)
-REV=ac9dd0041307b1d3a68d26bf73567aa61222df54 # master branch commit to package
+REV=225973a89f50c2b494ad947399425182dd42618c   # master branch commit to package
+S1REV=475dd38289d33270d0080085084bf687ad77c74d # stable-202501 branch commit
+S2REV=e8cc0791e6bb0814cf4e88395c06d5e06655d8b5 # stable-202507 branch commit
 git clone https://git.savannah.gnu.org/git/gnulib.git
 cd gnulib
 git fsck # attempt to validate input
-# inspect that the new tree matches a trusted copy
+# Manually inspect that the new tree matches a trusted previous copy
 git checkout -B master $REV # put $REV at master
+# Add all stable-* branches locally:
 for b in $(git branch -r | grep origin/stable- | sort --version-sort); do git checkout $@{b#origin/@}; done
+git checkout -B stable-202501 $S1REV
+git checkout -B stable-202507 $S2REV
 git remote remove origin # drop some unrelated branches
-git gc --prune=now # drop any commits after $REV
+git gc --prune=now # drop any unrelated commits, not clear this helps
+git -c pack.threads=1 repack -adF
 git -c 'pack.threads=1' bundle create gnulib.bundle --all
 V=$(env TZ=UTC0 git show -s --date=format:%Y%m%d --pretty=%cd master)
 mv gnulib.bundle gnulib-$V.bundle
-- 
2.50.1

Attachment: signature.asc
Description: PGP signature

Reply via email to