me
/
guix
Archived
1
0
Fork 0

build: Make outputs of node-build-system reproducible.

package.json records two hashes of package.tgz, which change for each
build, resulting in non-reproducible builds.

* guix/build/node-build-system.scm (repack): Add reproducibility options
to tar command.
master
Lars-Dominik Braun 2021-06-17 14:11:19 +02:00
parent 16abea6ff1
commit 9c93573d15
No known key found for this signature in database
GPG Key ID: F663943E08D8092A
1 changed files with 8 additions and 1 deletions

View File

@ -120,7 +120,14 @@
#t)
(define* (repack #:key inputs #:allow-other-keys)
(invoke "tar" "-czf" "../package.tgz" ".")
(invoke "tar"
;; Add options suggested by https://reproducible-builds.org/docs/archives/
"--sort=name"
(string-append "--mtime=@" (getenv "SOURCE_DATE_EPOCH"))
"--owner=0"
"--group=0"
"--numeric-owner"
"-czf" "../package.tgz" ".")
#t)
(define* (install #:key outputs inputs #:allow-other-keys)