Hi
On 3/30/24 14:20, Stanislav Malyshev wrote:
But does the release manager generate the files (and the tarball) in a
reproducible way?
I understand that's what ./scripts/dev/makedist and
./scripts/dev/genfiles do, but I suspect exact bits in resulting
configure and lexers may depend on the exact version of tools & utils
used. For upstream packagers like distros I'd likely recommend using
these tools directly anyway, and not rely on what's in the package.
I've made some improvements to the 'makedist' script last year to
improve reproducibility [1], but they are not fully reproducible yet.
Notably the timestamps within the .tar archive are not reproducible yet:
https://github.com/php/php-src/blob/186465b1ddcf203ddffb5d24bae897508c711586/scripts/dev/makedist#L169-L172
They are set to the time the script is run, but should probably be
derived from the time of the current commit instead. Likewise the gzip
call does not have the -n flag and thus also embeds a timestamp into the
.tar.gz archive.
There are probably further bits that are not reproducible yet.
Best regards
Tim Düsterhus
[1] https://github.com/php/php-src/pull/10613 and
https://github.com/php/php-src/pull/10615
