[MacPorts] ReproducibleBuilds modified

[MacPorts Wiki]

Page "ReproducibleBuilds" was changed by neverpanic
Diff URL: <https://trac.macports.org/wiki/ReproducibleBuilds?action=diff&version=4>
Revision 4
Comment: Did some reproducibility testing, and this definitely affects us.
Changes:
-------8<------8<------8<------8<------8<------8<------8<------8<--------
Index: ReproducibleBuilds
=========================================================================
--- ReproducibleBuilds (version: 3)
+++ ReproducibleBuilds (version: 4)
@@ -26,3 +26,11 @@
 Wherever possible, ports should fetch from compressed distfiles, which our network of servers will automatically mirror. When this is not possible, a port might fetch directly from the developers' repository. When fetching from a repository, it is important to specify a specific revision or commit to fetch. It is not acceptable to fetch from the head or tip of the trunk or of a specific branch, because if two users install the same version of the port a day apart, and in between the developers commit a new revision to their repository, the two users will have different software, but no outward indication that this is the case. Also, the user who installed the port first will have no indication that new software is available, and even if they knew that a new version was available, they would have to forcibly rebuild the port to get it, since MacPorts would not consider the port outdated. Even that might not work: if the port is distributable, our buildbot will build a binary package the moment it is committed, and users might forevermore get that version, even if newer versions are available upstream. Finally, users who do manage to get newer commits are thus getting software that nobody at MacPorts has tested before; we always want at least one person (the MacPorts committer) to have verified that software at least builds and ideally works correctly and does not have any adverse side-effects (malware perhaps?) before making it available to other MacPorts users.
 
 The solution is to always specify a specific known-good commit of the upstream repository to use. When new software is available upstream, the portfile can be updated to reference that new version.
+
+=== Current reproducibility problems in MacPorts ===
+
+At the moment, binary archives in MacPorts are generally not reproducible. The following issues are known and must be fixed to get reproducible binary archives.
+
+ - The order of entries in a binary archive depends on the filesystem order. Entries should be sorted before being added to the archives.
+ - The timestamps of files in a binary archive vary with the local system time. Timestamps for these files should be clamped to a specific maximum value, possibly specified by [https://reproducible-builds.org/specs/source-date-epoch/ $SOURCE_DATE_EPOCH].
+ - The macOS linker includes a file's modification time when creating debug maps, unless the environment variable `ZERO_AR_DATE` is set (value doesn't matter). Search the ld64 source code for `ZERO_AR_DATE` in `src/ld/Options.cpp` for more information.
-------8<------8<------8<------8<------8<------8<------8<------8<--------

--
Page URL: <https://trac.macports.org/wiki/ReproducibleBuilds>
MacPorts <https://www.macports.org/>
Ports system for macOS

This is an automated message. Someone added your email address to be
notified of changes on 'ReproducibleBuilds' page.
If it was not you, please report to admin at macports.org.