Re: Reproducible builds: are release tarballs a part of it?

From: Ed Maste <emaste_at_freebsd.org>
Date: Mon, 09 Dec 2024 16:35:01 UTC
On Mon, 9 Dec 2024 at 06:08, Pat Maddox <pat@patmaddox.com> wrote:
>
> I am trying to reproduce https://download.freebsd.org/releases/amd64/14.2-RELEASE/MANIFEST from source. Is that possible?
>
> As part of this effort, I am having trouble reproducing base.txz across any two builds at all - much less the published one.

Thanks for submitting PR283214. It looks like this indeed is due to
directory contents being returned in an arbitrary order, and bsdtar's
lack of an option to sort them. GNU sort supports --sort=name to
address this issue. There's a prototype patch from 2015 to sort
directory contents (without an option):
https://github.com/libarchive/libarchive/issues/602

As Colin pointed out in PR283214 we can (and should) address this in
the short term by using find and sort, but I still would like to see
this supported directly in bsdtar.