tar.gz output files contain nonreproducible timestamps
Steps to reproduce:
Run the following command twice:
./rbm/rbm build gocompress --target nightly --target torbrowser-linux-x86_64
The output .tar.gz files should be identical.
The gzip header contains different timestamps per build, based on when the build was done. See the following Diffoscope:
Text version of Diffoscope output in case the above link expires:
--- a/gocompress-cc9eb1d7ad76-linux-x86_64-4fd18e.tar.gz +++ b/gocompress-cc9eb1d7ad76-linux-x86_64-4fd18e.tar.gz ├── filetype from file(1) │ @@ -1 +1 @@ │ -gzip compressed data, last modified: Tue Jul 30 00:09:03 2019, from Unix, original size 20551680 │ +gzip compressed data, last modified: Tue Jul 30 00:11:48 2019, from Unix, original size 20551680
Switching from .tar.gz to .tar.xz fixes the issue and results in reproducible binaries. Given that .xz has much better compression than .gz and (AFAIK) is usually readily available on GNU/Linux and macOS systems just like .gz, my recommendation is to simply switch the .tar.gz to .tar.xz in tor-browser-build, and add a warning to the "tar" entry in rbm's options_misc.asc saying that using .gz compression should not be used because it will break reproducibility.
Since this issue affects both rbm and Tor Browser, I'm not sure which component to select for this ticket. I'm going with rbm, but feel free to change that if you like. Or feel free to split it into 2 tickets if that makes it easier to make sure that both components get a fix.