On 08/11/17 21:01, Martín Ferrari wrote: > The best test would be to use gbp to create the tarballs under different > conditions (machine, user name, path, manually touch()ing files locally) > and see if they are really reproducible.
For one data point, I just tried this on two different machines (same arch, though), on different paths, one a fresh clone, other my usual work dir, and after some random touch() of files, I get always the same tar. $ gbp buildpackage --git-force-create --git-no-pristine-tar --git-compression=gzip --git-compression-level=9 $ sha256sum ../build-area/prometheus_1.8.1+ds.orig.tar.gz 726f7c392f99b48b63a85bc8f873fbdecbf6fabbb167a2dd7be312bdcf56d60c ../build-area/prometheus_1.8.1+ds.orig.tar.gz Which, notably, does not match what's on the archive. It seems I had different default values for the compression level on different machines, so I had to pass the parameters explicitly. If I use compression level 6, I get that exact SHA: $ sha256sum ../build-area/prometheus_1.8.1+ds.orig.tar.gz 726f7c392f99b48b63a85bc8f873fbdecbf6fabbb167a2dd7be312bdcf56d60c ../build-area/prometheus_1.8.1+ds.orig.tar.gz I think if we mandate some fixed parameters (by policy or inclusion in debian/gbp.conf), this approach would be feasible. -- Martín Ferrari (Tincho) _______________________________________________ Pkg-go-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-go-maintainers
