[PATCH] libubootenv: generate reproducible source tarball

srinuv...@siemens.com

unread,

Jan 8, 2026, 12:46:54 AM (7 days ago) Jan 8

to isar-...@googlegroups.com, srinuvasan, Cedric Hombourger

From: srinuvasan <srinuv...@siemens.com>

Apply additional options to the tar command used to generate
reproducible source tarball: (1) use numeric and null [GU]IDs,
-clamp-mtime for file modification times to never be later than
SOURCE_DATE_EPOCH (preserving mtimes for files not modified by
the recipe) and --sort=name for consistent ordering within the
archive.

Signed-off-by: Cedric Hombourger <cedric.h...@siemens.com>
Signed-off-by: srinuvasan <srinuv...@siemens.com>
---
meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
index 4d64ff8e..74409431 100644
--- a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
+++ b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
@@ -25,5 +25,9 @@ CHANGELOG_V ?= "${PV}+isar-${SRCREV}"
do_prepare_build() {
deb_add_changelog
cd ${WORKDIR}
- tar cJf ${BPN}_${PV}+isar.orig.tar.xz --exclude=.git --exclude=debian ${P}
+ tar cJf ${BPN}_${PV}+isar.orig.tar.xz \
+ --exclude=.git --exclude=debian \
+ --mtime=@${SOURCE_DATE_EPOCH} --clamp-mtime \
+ --owner=0 --group=0 --numeric-owner \
+ --sort=name ${P}
}
--
2.39.5

MOESSBAUER, Felix

unread,

Jan 8, 2026, 3:29:33 AM (7 days ago) Jan 8

to isar-...@googlegroups.com, Arjunan, Srinu, Hombourger, Cedric

On Thu, 2026-01-08 at 11:16 +0530, srinuvasan.a via isar-users wrote:
> From: srinuvasan <srinuv...@siemens.com>
>
> Apply additional options to the tar command used to generate
> reproducible source tarball: (1) use numeric and null [GU]IDs,
> -clamp-mtime for file modification times to never be later than
> SOURCE_DATE_EPOCH (preserving mtimes for files not modified by
> the recipe) and --sort=name for consistent ordering within the
> archive.

Hi, the change itself is fine. I'm just wondering if we have the same
issue in other places as well. It probably makes sense to either create
a variable $TAR_REPRO_OPTS or create a deb_create_src_tar command to
completely handle the tar creation.

Best regards,
Felix

>
> Signed-off-by: Cedric Hombourger <cedric.h...@siemens.com>
> Signed-off-by: srinuvasan <srinuv...@siemens.com>
> ---
> meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
> index 4d64ff8e..74409431 100644
> --- a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
> +++ b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
> @@ -25,5 +25,9 @@ CHANGELOG_V ?= "${PV}+isar-${SRCREV}"
> do_prepare_build() {
> deb_add_changelog
> cd ${WORKDIR}
> - tar cJf ${BPN}_${PV}+isar.orig.tar.xz --exclude=.git --exclude=debian ${P}
> + tar cJf ${BPN}_${PV}+isar.orig.tar.xz \
> + --exclude=.git --exclude=debian \
> + --mtime=@${SOURCE_DATE_EPOCH} --clamp-mtime \
> + --owner=0 --group=0 --numeric-owner \
> + --sort=name ${P}
> }
> --
> 2.39.5
>

> --
> You received this message because you are subscribed to the Google Groups "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260108054650.62014-1-srinuvasan.a%40siemens.com.

--
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany

srinuv...@siemens.com

unread,

Jan 12, 2026, 6:20:11 AM (3 days ago) Jan 12

to isar-...@googlegroups.com, srinuvasan, Cedric Hombourger

From: srinuvasan <srinuv...@siemens.com>

Apply additional options to the tar command used to generate
reproducible source tarball: (1) use numeric and null [GU]IDs,
-clamp-mtime for file modification times to never be later than
SOURCE_DATE_EPOCH (preserving mtimes for files not modified by
the recipe) and --sort=name for consistent ordering within the
archive.

Signed-off-by: Cedric Hombourger <cedric.h...@siemens.com>
Signed-off-by: srinuvasan <srinuv...@siemens.com>
---

meta/classes-recipe/dpkg-source.bbclass | 5 +++++
meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/meta/classes-recipe/dpkg-source.bbclass b/meta/classes-recipe/dpkg-source.bbclass
index a16e5812..95042edc 100644
--- a/meta/classes-recipe/dpkg-source.bbclass
+++ b/meta/classes-recipe/dpkg-source.bbclass
@@ -5,6 +5,11 @@

inherit dpkg-base

+TAR_REPRO_OPTS = "--exclude=.git --exclude=debian \
+--mtime=@${SOURCE_DATE_EPOCH} --clamp-mtime \
+--owner=0 --group=0 --numeric-owner \
+--sort=name"
+
DPKG_SOURCE_EXTRA_ARGS ?= "-I"

DEBIAN_SOURCE ?= "${BPN}"
diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
index 4d64ff8e..d2908536 100644
--- a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
+++ b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
@@ -25,5 +25,5 @@ CHANGELOG_V ?= "${PV}+isar-${SRCREV}"

do_prepare_build() {
deb_add_changelog
cd ${WORKDIR}
- tar cJf ${BPN}_${PV}+isar.orig.tar.xz --exclude=.git --exclude=debian ${P}

+ tar cJf ${BPN}_${PV}+isar.orig.tar.xz ${TAR_REPRO_OPTS} ${P}
}
--
2.39.5

MOESSBAUER, Felix

unread,

Jan 12, 2026, 7:27:13 AM (3 days ago) Jan 12

to isar-...@googlegroups.com, Arjunan, Srinu, Hombourger, Cedric

On Mon, 2026-01-12 at 16:50 +0530, srinuvasan.a via isar-users wrote:
> From: srinuvasan <srinuv...@siemens.com>
>
> Apply additional options to the tar command used to generate
> reproducible source tarball: (1) use numeric and null [GU]IDs,
> -clamp-mtime for file modification times to never be later than
> SOURCE_DATE_EPOCH (preserving mtimes for files not modified by
> the recipe) and --sort=name for consistent ordering within the
> archive.
>
> Signed-off-by: Cedric Hombourger <cedric.h...@siemens.com>
> Signed-off-by: srinuvasan <srinuv...@siemens.com>
> ---
> meta/classes-recipe/dpkg-source.bbclass | 5 +++++
> meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb | 2 +-
> 2 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes-recipe/dpkg-source.bbclass b/meta/classes-recipe/dpkg-source.bbclass
> index a16e5812..95042edc 100644
> --- a/meta/classes-recipe/dpkg-source.bbclass
> +++ b/meta/classes-recipe/dpkg-source.bbclass
> @@ -5,6 +5,11 @@
>
> inherit dpkg-base
>
> +TAR_REPRO_OPTS = "--exclude=.git --exclude=debian \

Can we use a weak assignment here? Apart from that, it is exactly as I
envisioned it. Thanks!

PS: please send subsequent versions as new mails, instead of replies to
an existing series.

Felix

> +--mtime=@${SOURCE_DATE_EPOCH} --clamp-mtime \
> +--owner=0 --group=0 --numeric-owner \
> +--sort=name"
> +
> DPKG_SOURCE_EXTRA_ARGS ?= "-I"
>
> DEBIAN_SOURCE ?= "${BPN}"
> diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
> index 4d64ff8e..d2908536 100644
> --- a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
> +++ b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
> @@ -25,5 +25,5 @@ CHANGELOG_V ?= "${PV}+isar-${SRCREV}"
> do_prepare_build() {
> deb_add_changelog
> cd ${WORKDIR}
> - tar cJf ${BPN}_${PV}+isar.orig.tar.xz --exclude=.git --exclude=debian ${P}
> + tar cJf ${BPN}_${PV}+isar.orig.tar.xz ${TAR_REPRO_OPTS} ${P}
> }
> --
> 2.39.5
>

> --
> You received this message because you are subscribed to the Google Groups "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+...@googlegroups.com.

> To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260112112019.80625-1-srinuvasan.a%40siemens.com.

srinuv...@siemens.com

unread,

Jan 13, 2026, 12:46:24 AM (2 days ago) Jan 13

to isar-...@googlegroups.com, felix.mo...@siemens.com, srinuvasan, Cedric Hombourger

From: srinuvasan <srinuv...@siemens.com>

Apply additional options to the tar command used to generate
reproducible source tarball: (1) use numeric and null [GU]IDs,
-clamp-mtime for file modification times to never be later than
SOURCE_DATE_EPOCH (preserving mtimes for files not modified by
the recipe) and --sort=name for consistent ordering within the
archive.

Signed-off-by: Cedric Hombourger <cedric.h...@siemens.com>
Signed-off-by: srinuvasan <srinuv...@siemens.com>
---
meta/classes-recipe/dpkg-source.bbclass | 5 +++++
meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/meta/classes-recipe/dpkg-source.bbclass b/meta/classes-recipe/dpkg-source.bbclass

index a16e5812..1227da36 100644

--- a/meta/classes-recipe/dpkg-source.bbclass
+++ b/meta/classes-recipe/dpkg-source.bbclass
@@ -5,6 +5,11 @@

inherit dpkg-base

+TAR_REPRO_OPTS ?= "--exclude=.git --exclude=debian \

+--mtime=@${SOURCE_DATE_EPOCH} --clamp-mtime \
+--owner=0 --group=0 --numeric-owner \
+--sort=name"
+
DPKG_SOURCE_EXTRA_ARGS ?= "-I"

DEBIAN_SOURCE ?= "${BPN}"
diff --git a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
index 4d64ff8e..d2908536 100644
--- a/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
+++ b/meta/recipes-bsp/libubootenv/libubootenv_0.3.5-0.1.bb
@@ -25,5 +25,5 @@ CHANGELOG_V ?= "${PV}+isar-${SRCREV}"
do_prepare_build() {
deb_add_changelog
cd ${WORKDIR}
- tar cJf ${BPN}_${PV}+isar.orig.tar.xz --exclude=.git --exclude=debian ${P}
+ tar cJf ${BPN}_${PV}+isar.orig.tar.xz ${TAR_REPRO_OPTS} ${P}
}
--

2.34.1

Reply all

Reply to author

Forward