make .tar.gz file metadata reproducible by alexbozhenko · Pull Request #6701 · nats-io/nats-server

alexbozhenko · 2025-03-20T18:57:03Z

Make contents of the archive to be owned by root, so archives have same shasum, no matter which user runs the build.
https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html

Test plan

Before

Built 2.11.0 tag locally with:
# go clean -cache && goreleaser release --skip=announce,publish,validate --clean -f .goreleaser.yml
File permissions in the archive are different, reported by https://diffoscope.org/:

# docker run --rm -t -w $(pwd) -v $(pwd):$(pwd):ro       registry.salsa.debian.org/reproducible-builds/diffoscope nats_server_gh_assets/2.11.0/nats-server-v2.11.0-linux-amd64.tar.gz nats-server/dist/nats-server-v2.11.0-linux-amd64.tar.gz
--- nats_server_gh_assets/2.11.0/nats-server-v2.11.0-linux-amd64.tar.gz
+++ nats-server/dist/nats-server-v2.11.0-linux-amd64.tar.gz
├── nats-server-v2.11.0-linux-amd64.tar
│ ├── file list
│ │ @@ -1,3 +1,3 @@
│ │ --rw-r--r--   0 runner    (1001) docker     (118)    11357 2025-03-19 15:28:05.000000 nats-server-v2.11.0-linux-amd64/LICENSE
│ │ --rw-r--r--   0 runner    (1001) docker     (118)     4404 2025-03-19 15:28:05.000000 nats-server-v2.11.0-linux-amd64/README.md
│ │ --rwxr-xr-x   0 runner    (1001) docker     (118) 16442017 2025-03-19 15:28:05.000000 nats-server-v2.11.0-linux-amd64/nats-server
│ │ +-rw-r--r--   0 alex      (1000) alex      (1000)    11357 2025-03-19 15:28:05.000000 nats-server-v2.11.0-linux-amd64/LICENSE
│ │ +-rw-r--r--   0 alex      (1000) alex      (1000)     4404 2025-03-19 15:28:05.000000 nats-server-v2.11.0-linux-amd64/README.md
│ │ +-rwxr-xr-x   0 alex      (1000) alex      (1000) 16442017 2025-03-19 15:28:05.000000 nats-server-v2.11.0-linux-amd64/nats-server

After:
Tar content owned by root:root

Signed-off-by: Alex Bozhenko alex@synadia.com

Signed-off-by: Alex Bozhenko <alexbozhenko@gmail.com>

alexbozhenko · 2025-04-04T16:45:11Z

@neilalexander could you please review when you get a chance?

neilalexander

LGTM

Follow-up to #6359 and #6701 Since 2.11.2 version of goreleaser, it is allowed to set buildhost for RPMs https://github.com/orgs/goreleaser/discussions/5662 I believe with this all the rpms, debs and tars will be reproducible(the binaries have been reproducible for long time) ## Test plan: ``` # go clean -cache && goreleaser release --skip=announce,publish,validate --clean -f .goreleaser.yml ``` ``` # rpm -qip nats-server-v2.12.0-RC.3-s390x.rpm | grep -i 'Build Host' Build Host : synadia.com ``` [skip ci] Signed-off-by: Alex Bozhenko <alexbozhenko@gmail.com>

make .tar.gz file metadata reproducible

d5df540

Signed-off-by: Alex Bozhenko <alexbozhenko@gmail.com>

alexbozhenko requested a review from a team as a code owner March 20, 2025 18:57

neilalexander approved these changes Apr 7, 2025

View reviewed changes

neilalexander merged commit aaf1ac8 into main Apr 7, 2025
37 checks passed

neilalexander deleted the more_reproducible_build_tweaks branch April 7, 2025 10:22

alexbozhenko mentioned this pull request Sep 12, 2025

Set build host in goreleaser to have reproducible rpms #7307

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

make .tar.gz file metadata reproducible#6701

make .tar.gz file metadata reproducible#6701
neilalexander merged 1 commit intomainfrom
more_reproducible_build_tweaks

alexbozhenko commented Mar 20, 2025

Uh oh!

alexbozhenko commented Apr 4, 2025

Uh oh!

neilalexander left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

alexbozhenko commented Mar 20, 2025

Test plan

Before

Uh oh!

alexbozhenko commented Apr 4, 2025

Uh oh!

neilalexander left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants