From 9c93573d15e90232de0effb4c28332c454dbc290 Mon Sep 17 00:00:00 2001 From: Lars-Dominik Braun Date: Thu, 17 Jun 2021 14:11:19 +0200 Subject: [PATCH] build: Make outputs of node-build-system reproducible. package.json records two hashes of package.tgz, which change for each build, resulting in non-reproducible builds. * guix/build/node-build-system.scm (repack): Add reproducibility options to tar command. --- guix/build/node-build-system.scm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/guix/build/node-build-system.scm b/guix/build/node-build-system.scm index a55cab237c..70a367618e 100644 --- a/guix/build/node-build-system.scm +++ b/guix/build/node-build-system.scm @@ -120,7 +120,14 @@ #t) (define* (repack #:key inputs #:allow-other-keys) - (invoke "tar" "-czf" "../package.tgz" ".") + (invoke "tar" + ;; Add options suggested by https://reproducible-builds.org/docs/archives/ + "--sort=name" + (string-append "--mtime=@" (getenv "SOURCE_DATE_EPOCH")) + "--owner=0" + "--group=0" + "--numeric-owner" + "-czf" "../package.tgz" ".") #t) (define* (install #:key outputs inputs #:allow-other-keys)