From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms13.migadu.com with LMTPS
	id 4BHFG2qxfWdlBAEA62LTzQ:P1
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 07 Jan 2025 22:57:46 +0000
Received: from aspmx1.migadu.com ([2001:41d0:303:e224::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1.migadu.com with LMTPS
	id 4BHFG2qxfWdlBAEA62LTzQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 07 Jan 2025 23:57:46 +0100
X-Envelope-To: larch@yhetil.org
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="ED/7Rkat";
	dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=GvLiBiuy;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=gnu.org
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1736290666;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=95NObh6fqcogC042OuqziYMeRYo1Q1US6fJm1qL3Zdw=;
	b=dEYMgzoffNIUgBmFvkhsCrqXMANb27GttOwzrEKuGHOmpp24AS3lAtnlCuhNaPmvddZldn
	7D2WLwfPsaJEZ/aoh1epS69VERW9iw7Zc4pAgY1N16VGtu0Hn4gQQIfHMKqN7VnDNFAIAH
	AJXzVXwhiHsHg27/DKWQ8qpHnihavF60oSKDxpb8yRMcwa8pbjFt3W/7U4QYJxbrJbtOrI
	0670LCyabe4bgK+NRkYU/b223W5rU+3uj2gu7A0fDtffLzrMg6DYTqagMPHFQNdvI6QDyU
	XlaEwBcIrE9oNCd6TAOC6I8h9hnNfh4Dg7wy08X0I58LhinuESI9k5PtQnwf9w==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b="ED/7Rkat";
	dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=GvLiBiuy;
	spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org";
	dmarc=pass (policy=none) header.from=gnu.org
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1736290666; a=rsa-sha256; cv=none;
	b=rDzmuisGj0dvpb1wWmM5Kjg345L33S8l1PEyRC5U385f+FI70Opydr4/+6XvavUNN6plY+
	r9TAEGsb3q59EvTWEBY3lHDQxnf8BmIw6yHRIYbdb8/2NWUQLYKWmqADYa/GRjZauAYhSd
	gjBO4mjTc1D9lyRywlcfI87yQVu6TMGSDxT9wLnO5ulpRbJrAkGdMosR/M3Wwa5+TpF1+M
	WHOS9fzwyUMBLFcTeG4Rg/SPRJYZIs+gBPr0m0aYd7eaS7Es6edS0shQ79r5kM+c2AxoXs
	8k/lOf/M3mfAq4C8n6nqoQUgOM1qXBh7tQXzm7uaMc4XC5RW6kXeN0OaZI5Zjg==
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id E98016434D
	for <larch@yhetil.org>; Tue, 07 Jan 2025 23:57:45 +0100 (CET)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1tVIVd-0002oc-Ml; Tue, 07 Jan 2025 17:57:13 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tVIVV-0002oL-IL
 for guix-patches@gnu.org; Tue, 07 Jan 2025 17:57:05 -0500
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tVIVV-0007YZ-8x; Tue, 07 Jan 2025 17:57:05 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org; 
 h=MIME-Version:Date:From:To:Subject;
 bh=95NObh6fqcogC042OuqziYMeRYo1Q1US6fJm1qL3Zdw=; 
 b=ED/7RkatUPDJW97pbJ5KigumUlgWFoWIKtBd4t17J2p4x5NrJQoI8sz+ZCLFpa8oQgU/MP9IUGkx0G+N78lyt2Y6LOeHpqPSY+wc2uGx5hJo3XG+L3bVkZsGfRY+pAvI2chYmvZA95sQ9/6g+hOtu+5RtsgksdVHtQb4ZpHOy2Dv7zVo3OMZ5xXhassFstPAS9OvFYgHvYj5+fBC/vzw/9zcyXiJhcpmG6WhdsEJP2m1bk7BqCIPDkQASkHTpAPjYa1TInR6sywCN8yEiUgxlktJZUgClN7o0iwcocCSGMGCCudtkReHfLmHXhQ5p1/+MNaH4HsLKZFyHzPASKGbCg==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1tVIVR-00043W-UW; Tue, 07 Jan 2025 17:57:01 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#75426] [PATCH] docker: Build tarballs reproducibly.
Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix@cbaines.net, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org,
 zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org
Resent-Date: Tue, 07 Jan 2025 22:57:01 +0000
Resent-Message-ID: <handler.75426.B.173629056815499@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 75426
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 75426@debbugs.gnu.org
Cc: Simon Josefsson <simon@josefsson.org>,
 Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Christopher Baines <guix@cbaines.net>, Josselin Poiret <dev@jpoiret.xyz>,
 Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Mathieu Othacehe <othacehe@gnu.org>, Simon Tournier <zimon.toutoune@gmail.com>,
 Tobias Geerinckx-Rice <me@tobias.gr>
X-Debbugs-Original-To: guix-patches@gnu.org
X-Debbugs-Original-Xcc: Christopher Baines <guix@cbaines.net>,
 Josselin Poiret <dev@jpoiret.xyz>,
 Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>,
 Mathieu Othacehe <othacehe@gnu.org>, Simon Tournier <zimon.toutoune@gmail.com>,
 Tobias Geerinckx-Rice <me@tobias.gr>
Received: via spool by submit@debbugs.gnu.org id=B.173629056815499
 (code B ref -1); Tue, 07 Jan 2025 22:57:01 +0000
Received: (at submit) by debbugs.gnu.org; 7 Jan 2025 22:56:08 +0000
Received: from localhost ([127.0.0.1]:45078 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1tVIUZ-00041u-Jg
 for submit@debbugs.gnu.org; Tue, 07 Jan 2025 17:56:08 -0500
Received: from lists.gnu.org ([2001:470:142::17]:50074)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@gnu.org>) id 1tVIUX-00041P-2n
 for submit@debbugs.gnu.org; Tue, 07 Jan 2025 17:56:06 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1tVIUQ-0002lg-Tx
 for guix-patches@gnu.org; Tue, 07 Jan 2025 17:55:59 -0500
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1tVIUO-0007Re-Be; Tue, 07 Jan 2025 17:55:57 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to:
 references; bh=95NObh6fqcogC042OuqziYMeRYo1Q1US6fJm1qL3Zdw=; b=GvLiBiuy8J218j
 rPUFJbkw9RYErooMVmGe3MjbizIAs/NxJzNIwYWWUWYNWWMzhBsNzWZzz11XgHYsA0o7qQZ9seq8x
 huhYPZ2hP7tHyaW+g0VRUJsPQqSTxiaCzpYMt5tMUNlWskr8SH03S0hc8a68a93KHB44+WorM+NE7
 cBqVK4ethAV7TIsZHtzuxn8gCfs/jP4DAHhA/VJzgYu32jOLMeyG89s9OqDUbifCwoSsy9APB/mQ3
 x/bKoeAg7Svq0RruncB5hEQxZP7EGFU+MVsqmAb2ogeaMoXA8/+5KEHrqzXgBo0+SaUuIsoafM3aX
 ErWrYB23DVxKtyhqEpfw==;
From: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Date: Tue,  7 Jan 2025 23:55:33 +0100
Message-ID: <ab1044307c88a61032be563b73e325eb9cf339ba.1736290435.git.ludo@gnu.org>
X-Mailer: git-send-email 2.47.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: guix-patches-bounces+larch=yhetil.org@gnu.org
X-Migadu-Flow: FLOW_IN
X-Migadu-Country: US
X-Migadu-Scanner: mx12.migadu.com
X-Migadu-Spam-Score: 1.12
X-Spam-Score: 1.12
X-Migadu-Queue-Id: E98016434D
X-TUID: m7ROCHZtJx3o

Fixes <https://issues.guix.gnu.org/75090>.

* guix/docker.scm (tar): New procedure.
(create-empty-tar, build-docker-image): Use it instead of calling
‘invoke’ directly.

Reported-by: Simon Josefsson <simon@josefsson.org>
Change-Id: Ia899c43ed6a3809ff845de0953e3d38cccf24609
---
 guix/docker.scm | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/guix/docker.scm b/guix/docker.scm
index b33c5824dd..d9764f61fb 100644
--- a/guix/docker.scm
+++ b/guix/docker.scm
@@ -1,6 +1,6 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
-;;; Copyright © 2017, 2018, 2019, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017-2019, 2021, 2025 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2018 Chris Marusich <cmmarusich@gmail.com>
 ;;; Copyright © 2021 Maxim Cournoyer <maxim.cournoyer@gmail.com>
 ;;; Copyright © 2023 Oleg Pykhalov <go.wigust@gmail.com>
@@ -170,8 +170,15 @@ (define (size-sorted-store-items items max-layers)
                     (1- items-length)))))
     (list head tail)))
 
+(define (tar . arguments)
+  "Invoke 'tar' with the given ARGUMENTS together with options to build
+tarballs in a reproducible fashion."
+  (apply invoke "tar" "--mtime=@1"
+         "--owner=0" "--group=0" "--numeric-owner"
+         "--sort=name" "--mode=go+u,go-w" arguments))
+
 (define (create-empty-tar file)
-  (invoke "tar" "-cf" file "--files-from" "/dev/null"))
+  (tar "-cf" file "--files-from" "/dev/null"))
 
 (define* (build-docker-image image paths prefix
                              #:key
@@ -255,7 +262,7 @@ (define* (build-docker-image image paths prefix
            (file-name (string-append file-hash "/layer.tar")))
       (mkdir file-hash)
       (rename-file "layer.tar" file-name)
-      (invoke "tar" "-rf" "image.tar" file-name)
+      (tar "-rf" "image.tar" file-name)
       (delete-file file-name)
       file-hash))
   (define layers-hashes
@@ -268,20 +275,20 @@ (define* (build-docker-image image paths prefix
        (let* ((head-layers
                (map
                 (lambda (file)
-                  (invoke "tar" "cf" "layer.tar" file)
+                  (tar "cf" "layer.tar" file)
                   (seal-layer))
                 head))
               (tail-layer
                (begin
                  (create-empty-tar "layer.tar")
                  (for-each (lambda (file)
-                             (invoke "tar" "-rf" "layer.tar" file))
+                             (tar "-rf" "layer.tar" file))
                            tail)
                  (let* ((file-hash (layer-diff-id "layer.tar"))
                         (file-name (string-append file-hash "/layer.tar")))
                    (mkdir file-hash)
                    (rename-file "layer.tar" file-name)
-                   (invoke "tar" "-rf" "image.tar" file-name)
+                   (tar "-rf" "image.tar" file-name)
                    (delete-file file-name)
                    file-hash)))
               (customization-layer
@@ -290,7 +297,7 @@ (define* (build-docker-image image paths prefix
                       (file-name (string-append file-hash "/layer.tar")))
                  (mkdir file-hash)
                  (rename-file file-id file-name)
-                 (invoke "tar" "-rf" "image.tar" file-name)
+                 (tar "-rf" "image.tar" file-name)
                  file-hash))
               (all-layers
                (append head-layers (list tail-layer customization-layer))))
@@ -300,7 +307,7 @@ (define* (build-docker-image image paths prefix
                                   (map (cut string-append <> "/layer.tar")
                                        all-layers)
                                   repository))))
-         (invoke "tar" "-rf" "image.tar" "manifest.json")
+         (tar "-rf" "image.tar" "manifest.json")
          all-layers))))
   (let* ((directory "/tmp/docker-image") ;temporary working directory
          (id (docker-id prefix))
@@ -388,7 +395,7 @@ (define* (build-docker-image image paths prefix
                    #:entry-point entry-point))))
       (if max-layers
           (begin
-            (invoke "tar" "-rf" "image.tar" "config.json")
+            (tar "-rf" "image.tar" "config.json")
             (if compressor
                 (begin
                   (apply invoke `(,@compressor "image.tar"))

base-commit: eeb019eb595bbb29f83389deb2fc823ed6402dd5
-- 
2.47.1