On Sat, Mar 24, 2018 at 1:01 PM, Alexander Sergeyev <sergeev...@gmail.com> wrote:
> On Sat, Mar 24, 2018 at 01:59:33PM -0400, Augie Fackler wrote: > >> If you need checksummable archives, depending on the output of `hg >> archive` to be stable from one invocation to the next is probably >> imprudent, unfortunately. >> > > Yes, I think this is pretty reasonable to expect. > > I did some digging in mercurial sources. The web request handler is at [1] > and more or less just using archival module. Apparently, the order of files > should not be a problem since the file list is sorted and pushed one-by-one > into the resulting archive [2]. File modification time look deterministic > too since the changeset mtime is used for all files. > > Still, the reason for introducing file sorting was not reproducibility [3] > and I can't find an indication that checksummable archives were considered > to be a feature. This does not prove anything, since the entire pipeline > must be deterministic (including compression itself), and there could be > complications (see [4], [5]). > > Unfortunately, the whole situation means delays in rolling out a firefox > release with security patches [6]: > > So gentoo will have to create and mirror a specific tarball on its own as >> well to avoid random digest errors (and the legality of this will need to >> be re-checked as well against the latest MPL).. It's administrivia, but >> necessary nevertheless. >> > > [1] https://www.mercurial-scm.org/repo/hg/file/tip/mercurial/hgw > eb/webcommands.py#l1133 > [2] https://www.mercurial-scm.org/repo/hg/file/tip/mercurial/arc > hival.py#l322 > [3] https://www.mercurial-scm.org/repo/hg/rev/51932c835b74 > [4] https://stackoverflow.com/questions/45035782 > [5] https://superuser.com/questions/705877 > [6] https://bugs.gentoo.org/650472 > I audited the archival code a few weeks ago as part of <day job> and my conclusion was that it is deterministic. However, the .hg_archival.txt file may not be deterministic, depending on how it is configured and how the repository changes over time. https://bugzilla.mozilla.org/show_bug.cgi?id=1432591#c22 has the full context.
_______________________________________________ Mercurial mailing list Mercurial@mercurial-scm.org https://www.mercurial-scm.org/mailman/listinfo/mercurial