GH-46336: [Release][Packaging] Add support for Reproducible Builds for source archive #46342
Conversation
…lds for source archive See https://reproducible-builds.org/ for Reproducible Builds. Automated Release Signing requires this: https://infra.apache.org/release-signing.html#automated-release-signing
|
|
|
Ah, https://infra.apache.org/release-signing.html#automated-release-signing includes the following:
We need to add a reproducible check to |
Implemented. |
|
@assignUser @raulcd Do you want to review this before we request a review from INFRA? |
github-actions
bot
added
awaiting merge
github-actions
bot
added
awaiting review
github-actions
bot
added
awaiting merge
|
I asked INFRA to review and enable automatic release signing for source arhicve: https://issues.apache.org/jira/browse/INFRA-26808 |
|
Sorry, I didn't have time to have a look so far, but this is great! |
| tar czf ${tarball} ${root_folder} | ||
| # Create new tarball from modified source directory. | ||
| # | ||
| # We need GNU tar for Reproducible Builds. We want to use the same |
There was a problem hiding this comment.
I was hoping we can use something like https://salsa.debian.org/reproducible-builds/strip-nondeterminism but it might not have support for tar files.
There was a problem hiding this comment.
Wow, I didn't know the tool. It's introduced in https://reproducible-builds.org/docs/stripping-unreproducible-information/ .
The approaches used here are listed in https://reproducible-builds.org/docs/archives/ .
Let's use GNU tar for now because strip-nondeterminism doesn't have tar support.
There was a problem hiding this comment.
Can we add a comment pointing to https://reproducible-builds.org/docs/stripping-unreproducible-information/ ?
github-actions
bot
added
awaiting changes
| # * https://github.com/apache/arrow/pull/4488 | ||
| # | ||
| # We need to set constant timestamp for a dummy .git/ directory for | ||
| # Reproducible Builds. We use mtime of csharp/ for it. |
There was a problem hiding this comment.
Why don't we use SOURCE_DATE_EPOCH?
There was a problem hiding this comment.
I didn't know SOURCE_DATE_EPOCH.
I used it with tar not here.
github-actions
bot
added
awaiting change review
Rationale for this change
See https://reproducible-builds.org/ for Reproducible Builds.
Automated Release Signing requires this:
https://infra.apache.org/release-signing.html#automated-release-signing
What changes are included in this PR?
dev/release/utils-create-release-tarball.shreproducibleAre these changes tested?
Yes.
Are there any user-facing changes?
No.