k3s-io
/
k3s
mirror of https://github.com/k3s-io/k3s.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix reproducibility of embedded data tarball 

The tar command in package-cli produces a non-reproducible archive
because file ordering and timestamps vary between builds. This causes
bit-for-bit differences when rebuilding k3s from the same source,
which breaks reproducible build systems such as Nix.

Sort the archive entries by name and clamp modification times to the
Unix epoch so the tarball content is deterministic regardless of
filesystem ordering or build time.

Ref: NixOS/nixpkgs#430225
Ref: NixOS/nixpkgs#502374

Signed-off-by: Jon Hermansen <jon@jh86.org>
pull/13906/head
Jon Hermansen 2026-03-29 19:52:49 -04:00 committed by Brad Davidson
parent 8a4219e66c
commit 500fd9cfd1
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
scripts/package-cli
View File

@ -54,7 +54,8 @@ mkdir -p ./etc
set -x
)
tar cvf ./build/out/data-${OS}.tar ./bin ./etc
# Ensure the embedded tarball is reproducible: sort file order and clamp timestamps
tar --sort=name --mtime=@0 -cvf ./build/out/data-${OS}.tar ./bin ./etc
zstd --no-progress -T0 -16 -f --long=25 --rm ./build/out/data-${OS}.tar -o ./build/out/data-${OS}.tar.zst
HASH=$(sha256sum ./build/out/data-${OS}.tar.zst | awk '{print $1}')