In the initial implementation of reproducible tarballs, they were
missing directory entries, while .zip archives had them. It meant
that on extracting the tarball, on-disk directory entries got the
current timestamp.
This patch fixes this by including directory entries in the tarball,
with reproducible timestamps. It also moves sorting inside tar,
to ensure reproducible directory entry timestamps on extract
(without the need of `--delay-directory-restore` option, when
extracting with GNU tar. BSD tar got that right by default.)
GNU tar 1.28 (2014-07-28) introduced `--sort=`.
Follow-up to d52fe1b435#1357Closes#1359
- support `SOURCE_DATE_EPOCH` for reproducibility.
- make tarballs reproducible.
- make file timestamps in tarball/zip reproducible.
- make directory timestamps in zip reproducible.
- make timestamps of tarballs/zip reproducible.
- make file order in tarball/zip reproducible.
- use POSIX ustar tarball format to avoid supply chain vulnerability: https://seclists.org/oss-sec/2021/q4/0
- make uid/gid in tarball reproducible.
- omit owner user/group names from tarball for reproducibility and privacy.
- omit current timestamp from .gz header for reproducibility.
- display SHA-256 hashes of produced tarballs/zip. (Requires `sha256sum`)
- re-sync formatting with curl's `maketgz`.
Closes#1357
- set bash `-eu`.
- fix bash `-eu` issues.
- apply `TZ=UTC` and `LC_ALL=C` for reproducibility.
- sort `.zip` entries for reproducibility.
- zip with `--no-extra` for reproducibliity.
- use maximum zip compression.
- add the gpg sign command-line. Copied from curl.
- add CI test for `maketgz`.
Closes#1353
- All files have prominent copyright and SPDX identifier
- If not embedded in the file, in the .reuse/dep5 file
- All used licenses are in LICENSES/ (not shipped in tarballs)
- A new REUSE CI job verify that all files are OK
Assisted-by: Viktor Szakats
Closes#1084
- fix shellcheck warnings:
- use quotes
- use `$()`
- use `printf` (instead of calling perl).
- indent.
- copy/adapt header comment from curl to `maketgz`.
Starting now, the NEWS file is generated from git using the git2news.pl
script. This makes it always accurate and up-to-date, even for daily
snapshots etc.
the making of the release archive.
Added 'maketgz' as a script to build release archives with, including automated
snapshots or whatever. It updates the defines in include/libssh2.h.
configure now extracts the version number from the include/libssh2.h header in
the source tree instead of using it fixed set in the script (to remove the
need for regenerating the configure script when we run maketgz).
Makefile.am now has a dist-hook that puts ".dist" files in the release tree
instead of the file without the .dist extension, so that we can easily add
modified files in release archives. Like maketgz.
