On Mon, Mar 21, 2016 at 09:09:40AM -0400, Ian Goldberg wrote: > So who knows how to make a reproducible tarball? We'd need to > normalize: > - The order of the files (I think make dist already does this, though) > - The timestamps (--mtime), owners (--owner, --group), permissions (I > guess we could chmod the files first, or some combination of > --no-same-permissions and umask?) of the files > - Anything else? > > And getting autoconf to get the "make dist" target actually *do* that > might take some examining, but worst case, we can override $TAR or > $am__tar, I suppose.
OK, here's the scoop. As with most people, my knowledge of automake/autoconf is basically "find another project that does what I want and copy that". Unfortunately, I couldn't easily find another project successfully doing reproducible tarballs from "make dist". So what I came up with may not be The Right Way To Do It. Please, if anyone here can make this better, speak up! I'm particularly squeamish about overriding am__tar in configure.ac, since things with double underscores sound to me like "private! internal! don't look here!". The commit is here: https://bugs.otr.im/projects/pidgin-otr/repository/revisions/af8542f5ef26b3cc41245846a22537bd97c634fe/diff If other people want to see if they get the same .tar.gz as I do: git clone git://git.otr.im/pidgin_otr cd pidgin_otr/ git checkout devel intltoolize --force --copy autoreconf -s -i ./configure make dist sha256sum pidgin-otr-4.0.2.tar.gz I get: b7eba26b65e30adb238813c2d45e4188075c2bfa44d4a7490a6fa4ac5033239d pidgin-otr-4.0.2.tar.gz and then, why not: tar xzvvf pidgin-otr-4.0.2.tar.gz cd pidgin-otr-4.0.2 bash -x INSTALL.mingw sha256sum pidgin-otr-4.0.2.* I get: 9f7839c97f301c3a36bae5d1a801668ab90c4545bcc9b5b16397f2c44c3339f1 pidgin-otr-4.0.2.exe ca1d89cdf3c7496450252ce5945864b872a582f022af51d4928bf0cd07d367ea pidgin-otr-4.0.2.zip *** NOTE: in order to run "./configure" as a precursor to "make dist" for pidgin-otr, you will have to have pidgin-otr's _native_ dependencies installed, including the dev versions of libotr (or an installation from source/git), libgpg-error, libgcrypt, glib, gtk+, and pidgin. Is there a way around this, if all you want to do is "make dist" and not actually build the package? The sha256 checksums for the .exe and .zip files are different from yesterday, since the changes to the pidgin-otr source caused the source timestamp (*not* a build timestamp!) to change, and the source timestamp appears in the binaries. Anyone want to give this a shot? Thanks, - Ian _______________________________________________ OTR-dev mailing list OTR-dev@lists.cypherpunks.ca http://lists.cypherpunks.ca/mailman/listinfo/otr-dev
