GNU bug report logs - #76860
[PATCH] Reproducible tarballs for releases

Previous Next

To reply to this bug, email your comments to 76860 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Stefan Kangas <stefankangas <at> gmail.com>
To: bug-gnu-emacs <at> gnu.org
Subject: [PATCH] Reproducible tarballs for releases
Date: Sat, 8 Mar 2025 10:19:33 +0000

[Message part 1 (text/plain, inline)]

Severity: wishlist

I propose that we ensure reproducibility in our release tarballs by
applying the recommended GNU Tar options.  Please see the attached
patch.

The main value of reproducible tarballs is that they allow anyone --
whether downstream packagers, security auditors, or independent
developers -- to verify that the official release tarball matches the
corresponding source repository exactly.

This is particularly useful for:

1. Supply chain security.  Ensuring that the tarball is built from the
   expected source, with no accidental or malicious modifications.

2. Downstream distributions.  Some distributions, like Debian and Guix,
   strongly prefer reproducible builds to improve verifyability and
   package integrity.

3. Debugging and consistency.  Developers can regenerate the exact same
   tarball locally, making it easier to debug, compare versions, or
   audit historical releases.

Even if we're the only ones who generate official tarballs, making them
reproducible improves transparency and verifiability, which are
worthwhile goals on their own.

This approach follows the official GNU Tar manual guidelines:
https://www.gnu.org/software/tar/manual/html_node/Reproducibility.html

[0001-Make-release-tarball-more-reproducible.patch (text/x-patch, attachment)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.