Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build reproducibility problem: "git archive" locally results in different .tar.gz than on GitHub #1279

Open
rugk opened this issue Mar 30, 2024 · 6 comments
Open

Build reproducibility problem: "git archive" locally results in different .tar.gz than on GitHub #1279

rugk opened this issue Mar 30, 2024 · 6 comments
Labels
bug

Comments

@rugk
Copy link
Member

rugk commented Mar 30, 2024
edited

Due to some minor changes in my signrelease.sh script I tried testing that out again, locally.

Steps to reproduce

  1. Checked out PrivateBin git repo as of 9a476ac, clean state (git status reports nothing)

Now executing signrelease.sh (in my case v rugk/gittools@35b6f16):

$ .../gittools/signrelease.sh
Executed in ***/PrivateBin/PrivateBin.
NOTE: You already need to have a published release on GitHub.
Enter the project name [PrivateBin]: 
Enter the tag to sign: 1.7.1
Paste GitHub URL here [https://github.com/PrivateBin/PrivateBin]: 
gpg: Signatur vom So 11 Feb 2024 15:32:00 CET
gpg:                mittels RSA-Schlüssel 1C2A890AF1135CEC3681666A0F5C940A6BD81F92
gpg: Korrekte Signatur von "El RIDO (key for signing the git commits of the PrivateBin project) <elrido@gmx.net>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 1C2A 890A F113 5CEC 3681  666A 0F5C 940A 6BD8 1F92
git archive --prefix=PrivateBin-1.7.1/ -o /tmp/signrelease-PrivateBin-1.7.1-ZVNj5gSpby/PrivateBin-1.7.1.tar.gz 1.7.1
git archive --prefix=PrivateBin-1.7.1/ -o /tmp/signrelease-PrivateBin-1.7.1-ZVNj5gSpby/PrivateBin-1.7.1.zip 1.7.1
Binärdateien /tmp/signrelease-PrivateBin-1.7.1-ZVNj5gSpby/PrivateBin-1.7.1.tar.gz und /tmp/signrelease-PrivateBin-1.7.1-ZVNj5gSpby/GitHubDownloadedArchive.tar.gz sind verschieden.
FATAL ERROR: GitHubs downloaded tar.gz archive file is different from our own.

What happens

The .tar.gz is different from GitHub grr…

Here are the files:
GitHubDownloadedArchive.tar.gz
PrivateBin-1.7.1.tar.gz

I uploaded them to https://try.diffoscope.org/qyqtqvygkghu.html (stable/archive link) even, and it says:

Format-specific differences are supported for Gzipped files but no file-specific differences were detected; falling back to a binary diff. file(1) reports: gzip compressed data, from Unix, original size modulo 2^32 2631680

…which is not really helpful.

Aka:

$ file *.tar.gz
GitHubDownloadedArchive.tar.gz: gzip compressed data, from Unix, original size modulo 2^32 2631680
PrivateBin-1.7.1.tar.gz:        gzip compressed data, from Unix, original size modulo 2^32 2631680

What should happen

Files should be same.

Maybe my git version matters or how it is compressed?

More information

If I modify the script to nevertheless generate the ZIP and compare it, they are identical (different test run obviously here):

Dateien /tmp/signrelease-PrivateBin-1.7.1-TYSBv8q2Wd/PrivateBin-1.7.1.zip und /tmp/signrelease-PrivateBin-1.7.1-TYSBv8q2Wd/GitHubDownloadedArchive.zip sind identisch.

I also checked the timezone, as this had been an issue before, but in this case (as for .tar.gz files), this does not seem to make a difference:

$ sha256sum *.tar.gz
136faa5ba0c2d51ace916a2c0b282f5c7d5376265406040c91730e28233367ff  GitHubDownloadedArchive.tar.gz
ca7274e87ee621ca524e9457a4e6347f34286ac4680968431812cca3e870859d  PrivateBin-1.7.1-GMT-TZ.tar.gz
ca7274e87ee621ca524e9457a4e6347f34286ac4680968431812cca3e870859d  PrivateBin-1.7.1.tar.gz

Also run the same with rugk/gittools@71a2d6a, the result is the same (hash also the same again).

System

$ rpm-ostree status -v
[…]
fedora:fedora/39/x86_64/silverblue (index: 1)
                  Version: 39.20240325.0 (2024-03-25T00:37:19Z)
[…]
$ uname -a
Linux **** 6.7.9-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar  6 19:35:04 UTC 2024 x86_64 GNU/Linux
$ git --version 
git version 2.44.0
$ rpm -q git
git-2.44.0-1.fc39.x86_64
$ tar --version
tar (GNU tar) 1.35
$ rpm -q tar    
tar-1.35-2.fc39.x86_64
$ gzip --version
gzip 1.12
[…]
$ rpm -q gzip   
gzip-1.12-6.fc39.x86_64
@rugk rugk added the bug label Mar 30, 2024
@rugk rugk changed the title Git archive locally results in different .tar.gz than on GitHub Build: Git archive locally results in different .tar.gz than on GitHub Mar 30, 2024
@rugk rugk changed the title Build: Git archive locally results in different .tar.gz than on GitHub Build: "git archive" locally results in different .tar.gz than on GitHub Mar 30, 2024
@rugk rugk mentioned this issue Mar 30, 2024
Open
@rugk rugk changed the title Build: "git archive" locally results in different .tar.gz than on GitHub Build reproducibility problem: "git archive" locally results in different .tar.gz than on GitHub Mar 30, 2024
@elrido
Copy link
Contributor

elrido commented Mar 31, 2024

Hey, thanks for testing it. I'll also raise a PR over on your repo with my local script mods I had to do over the years, shortly.

In the mean time, 9a476ac is not tag 1.7.1, which is aad975a instead.

If I checkout tag 1.7.1 (detached HEAD-less state) and run git archive I do get the same archive as github:

$ git checkout 1.7.1
[... something something PANIC ... detached HEAD-less state ... etc]
$ git status
HEAD detached at 1.7.1
$ git archive --prefix=PrivateBin-1.7.1/ -o /tmp/elrido.tar.gz 1.7.1
$ cd /tmp
$ sha256sum elrido.tar.gz rugk/*.tar.gz
136faa5ba0c2d51ace916a2c0b282f5c7d5376265406040c91730e28233367ff  elrido.tar.gz
136faa5ba0c2d51ace916a2c0b282f5c7d5376265406040c91730e28233367ff  rugk/GitHubDownloadedArchive.tar.gz
ca7274e87ee621ca524e9457a4e6347f34286ac4680968431812cca3e870859d  rugk/PrivateBin-1.7.1.tar.gz

Please verify on your end, if it is really just the difference in checked out git commit.

I would greatly, immensely appreciate it if you could verify that you are all setup and able to handle this process, too, should we need to urgently release something and I'm on holiday or otherwise absent.

@rugk
Copy link
Member Author

rugk commented Apr 4, 2024

A thanks wrong repo version, of course! (I thought my script checked out the tag, I was wrong of course.)
And yeah, testing it was my aim.

Uhm, I do get different git hashes here, but I wonder why…

$ git checkout 1.7.1
HEAD ist jetzt bei aad975a7 incrementing version
$ git switch --detach 1.7.1                          
HEAD ist jetzt bei aad975a7 incrementing version
$ /signrelease.sh
Executed in /var/home/rugk/Software/PrivateBin/PrivateBin.
NOTE: You already need to have a published release on GitHub.
Enter the project name [PrivateBin]: 
Enter the tag to sign: 1.7.1
Paste GitHub URL here [https://github.com/PrivateBin/PrivateBin]: 
gpg: Signatur vom So 11 Feb 2024 15:32:00 CET
gpg:                mittels RSA-Schlüssel 1C2A890AF1135CEC3681666A0F5C940A6BD81F92
gpg: Korrekte Signatur von "El RIDO (key for signing the git commits of the PrivateBin project) <elrido@gmx.net>" [unbekannt]
gpg: WARNUNG: Dieser Schlüssel trägt keine vertrauenswürdige Signatur!
gpg:          Es gibt keinen Hinweis, daß die Signatur wirklich dem vorgeblichen Besitzer gehört.
Haupt-Fingerabdruck  = 1C2A 890A F113 5CEC 3681  666A 0F5C 940A 6BD8 1F92
git archive --prefix=PrivateBin-1.7.1/ -o /tmp/signrelease/PrivateBin-1.7.1-a5oKhJxSqs/PrivateBin-1.7.1.tar.gz 1.7.1
git archive --prefix=PrivateBin-1.7.1/ -o /tmp/signrelease/PrivateBin-1.7.1-a5oKhJxSqs/PrivateBin-1.7.1.zip 1.7.1
Binärdateien /tmp/signrelease/PrivateBin-1.7.1-a5oKhJxSqs/PrivateBin-1.7.1.tar.gz und /tmp/signrelease/PrivateBin-1.7.1-a5oKhJxSqs/GitHubDownloadedArchive.tar.gz sind verschieden.
FATAL ERROR: GitHubs downloaded tar.gz archive file is different from our own.
$ sha256sum *.tar.gz
136faa5ba0c2d51ace916a2c0b282f5c7d5376265406040c91730e28233367ff  GitHubDownloadedArchive.tar.gz
ca7274e87ee621ca524e9457a4e6347f34286ac4680968431812cca3e870859d  PrivateBin-1.7.1.tar.gz

So, huh, I still get ca7274e87ee621ca524e9457a4e6347f34286ac4680968431812cca3e870859d as the hash… wtf?

Also, if it were a difference in the files itself/the content, the diffscope should have told me. I really guess it must be something else…
What git versions etc. did you use?

@elrido
Copy link
Contributor

elrido commented Apr 4, 2024

This was on an ubuntu 22.04 system:

$ git --version
git version 2.34.1
$ sha256sum --version
sha256sum (GNU coreutils) 8.32
[...]

It sounds very odd that you'd get the exact same ca727 sha-sum, even though you do now use a different git-hash. Probably you're running the command against a different tar-ball, than the one you just generated? Still odd about the difference.

Let me repro this again, in a fresh alpine and ubuntu containers with fresh git clones, so we can rule out further environmental factors.

@rugk
Copy link
Member Author

rugk commented Apr 4, 2024

Tried searching for changelog entries etc. But it appears, such problems are well known…
https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/ (note the date of this article though)

The thing is, it just looks as if my local version has changed, not the GitHub one… 😉

Note it could also be my distro patching it…

The only thing striking is:

On January 30, we deployed Git 2.38 to the service that powers source downloads. This version of Git changed the default compression command used for git archive generation from external gzip to an internal copy of gzip.

Or wait, did GitHub now opt to keep the old one due to the problems? But we both use newer ones? So we should be either both be able to reproduce the different hash or not…?

@elrido
Copy link
Contributor

elrido commented Apr 4, 2024

The plot thickens: First, turns out that you don't actually need to have anything checked out, the last argument to git archive tells it which commit, branch or tag to export.

Second, notice that your git (2.44) keeps generating the ca727 hash, my ubuntu one (2.34) generates an archive with hash 136faa. Also, I can report that this script always worked for me and no diff was ever reported.

Third, here is what I get on alpine:

Unable to find image 'alpine:3.19' locally
3.19: Pulling from library/alpine
4abcf2066143: Pull complete 
Digest: sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b
Status: Downloaded newer image for alpine:3.19
/ # apk add git
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/10) Installing ca-certificates (20240226-r0)
(2/10) Installing brotli-libs (1.1.0-r1)
(3/10) Installing c-ares (1.27.0-r0)
(4/10) Installing libunistring (1.1-r2)
(5/10) Installing libidn2 (2.3.4-r4)
(6/10) Installing nghttp2-libs (1.58.0-r0)
(7/10) Installing libcurl (8.5.0-r0)
(8/10) Installing libexpat (2.6.2-r0)
(9/10) Installing pcre2 (10.42-r2)
(10/10) Installing git (2.43.0-r0)
Executing busybox-1.36.1-r15.trigger
Executing ca-certificates-20240226-r0.trigger
OK: 18 MiB in 25 packages
/ # git clone https://github.com/PrivateBin/PrivateBin.git
Cloning into 'PrivateBin'...
remote: Enumerating objects: 18490, done.
remote: Counting objects: 100% (5566/5566), done.
remote: Compressing objects: 100% (669/669), done.
remote: Total 18490 (delta 5341), reused 4954 (delta 4897), pack-reused 12924
Receiving objects: 100% (18490/18490), 13.07 MiB | 22.45 MiB/s, done.
Resolving deltas: 100% (13576/13576), done.
/ # cd PrivateBin/
/PrivateBin # git archive --prefix=PrivateBin-1.7.1/ -o ../git-1.7.1.tar.gz 1.7.1
/PrivateBin # cd ..
/ # wget -q -O github-1.7.1.tar.gz https://github.com/PrivateBin/PrivateBin/archive/refs/tags/1.7.1.tar.gz
/ # sha256sum *.tar.gz
ca7274e87ee621ca524e9457a4e6347f34286ac4680968431812cca3e870859d  git-1.7.1.tar.gz
136faa5ba0c2d51ace916a2c0b282f5c7d5376265406040c91730e28233367ff  github-1.7.1.tar.gz
/ # diff -s git-1.7.1.tar.gz github-1.7.1.tar.gz
Files git-1.7.1.tar.gz and github-1.7.1.tar.gz differ
/ # echo $?
1

So here I suddenly get that same ca727 hash!

That really starts to sound like version related differences. Further evidence:

$ docker run -ti --rm ubuntu:22.04
Unable to find image 'ubuntu:22.04' locally
22.04: Pulling from library/ubuntu
bccd10f490ab: Pull complete 
Digest: sha256:77906da86b60585ce12215807090eb327e7386c8fafb5402369e421f44eff17e
Status: Downloaded newer image for ubuntu:22.04
root@ba1992bdfa30:/# apt update
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [110 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]                    
Get:3 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1641 kB]
Get:4 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [1081 kB]
Get:5 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [2067 kB]
Get:6 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [44.6 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [119 kB]                   
Get:8 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [109 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [17.5 MB]
Get:10 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [164 kB]
Get:11 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [266 kB]
Get:12 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1792 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1920 kB]
Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [2107 kB]
Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1358 kB]
Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [61.2 kB]
Get:17 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [80.9 kB]
Get:18 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [33.3 kB]
Fetched 30.7 MB in 3s (11.4 MB/s)                      
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
12 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@ba1992bdfa30:/# apt install git wget
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  ca-certificates git-man less libbrotli1 libbsd0 libcbor0.8 libcurl3-gnutls libedit2 liberror-perl libexpat1 libfido2-1 libgdbm-compat4 libgdbm6 libldap-2.5-0 libldap-common libmd0
  libnghttp2-14 libperl5.34 libpsl5 librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh-4 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 netbase
  openssh-client openssl patch perl perl-modules-5.34 publicsuffix xauth
Suggested packages:
  gettext-base git-daemon-run | git-daemon-sysvinit git-doc git-email git-gui gitk gitweb git-cvs git-mediawiki git-svn gdbm-l10n libsasl2-modules-gssapi-mit
  | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql keychain libpam-ssh monkeysphere ssh-askpass ed diffutils-doc perl-doc
  libterm-readline-gnu-perl | libterm-readline-perl-perl make libtap-harness-archive-perl
The following NEW packages will be installed:
  ca-certificates git git-man less libbrotli1 libbsd0 libcbor0.8 libcurl3-gnutls libedit2 liberror-perl libexpat1 libfido2-1 libgdbm-compat4 libgdbm6 libldap-2.5-0 libldap-common libmd0
  libnghttp2-14 libperl5.34 libpsl5 librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh-4 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 netbase
  openssh-client openssl patch perl perl-modules-5.34 publicsuffix wget xauth
0 upgraded, 41 newly installed, 0 to remove and 12 not upgraded.
Need to get 17.8 MB of archives.
After this operation, 85.2 MB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 perl-modules-5.34 all 5.34.0-3ubuntu1.3 [2976 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy/main amd64 libgdbm6 amd64 1.23-1 [33.9 kB]
Get:3 http://archive.ubuntu.com/ubuntu jammy/main amd64 libgdbm-compat4 amd64 1.23-1 [6606 B]
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libperl5.34 amd64 5.34.0-3ubuntu1.3 [4820 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 perl amd64 5.34.0-3ubuntu1.3 [232 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 openssl amd64 3.0.2-0ubuntu1.15 [1186 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 ca-certificates all 20230311ubuntu0.22.04.1 [155 kB]
Get:8 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 less amd64 590-1ubuntu0.22.04.2 [143 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy/main amd64 libmd0 amd64 1.0.4-1build1 [23.0 kB]
Get:10 http://archive.ubuntu.com/ubuntu jammy/main amd64 libbsd0 amd64 0.11.5-1 [44.8 kB]
Get:11 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libexpat1 amd64 2.4.7-1ubuntu0.3 [91.0 kB]
Get:12 http://archive.ubuntu.com/ubuntu jammy/main amd64 netbase all 6.3 [12.9 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy/main amd64 libcbor0.8 amd64 0.8.0-2ubuntu1 [24.6 kB]
Get:14 http://archive.ubuntu.com/ubuntu jammy/main amd64 libedit2 amd64 3.1-20210910-1build1 [96.8 kB]
Get:15 http://archive.ubuntu.com/ubuntu jammy/main amd64 libfido2-1 amd64 1.10.0-1 [82.8 kB]
Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libnghttp2-14 amd64 1.43.0-1ubuntu0.1 [76.7 kB]
Get:17 http://archive.ubuntu.com/ubuntu jammy/main amd64 libpsl5 amd64 0.21.0-1.2build2 [58.4 kB]
Get:18 http://archive.ubuntu.com/ubuntu jammy/main amd64 libxau6 amd64 1:1.0.9-1build5 [7634 B]
Get:19 http://archive.ubuntu.com/ubuntu jammy/main amd64 libxdmcp6 amd64 1:1.1.3-0ubuntu5 [10.9 kB]
Get:20 http://archive.ubuntu.com/ubuntu jammy/main amd64 libxcb1 amd64 1.14-3ubuntu3 [49.0 kB]
Get:21 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libx11-data all 2:1.7.5-1ubuntu0.3 [120 kB]
Get:22 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libx11-6 amd64 2:1.7.5-1ubuntu0.3 [667 kB]
Get:23 http://archive.ubuntu.com/ubuntu jammy/main amd64 libxext6 amd64 2:1.3.4-1build1 [31.8 kB]
Get:24 http://archive.ubuntu.com/ubuntu jammy/main amd64 libxmuu1 amd64 2:1.1.3-3 [10.2 kB]
Get:25 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 openssh-client amd64 1:8.9p1-3ubuntu0.6 [906 kB]
Get:26 http://archive.ubuntu.com/ubuntu jammy/main amd64 publicsuffix all 20211207.1025-1 [129 kB]
Get:27 http://archive.ubuntu.com/ubuntu jammy/main amd64 wget amd64 1.21.2-2ubuntu1 [367 kB]
Get:28 http://archive.ubuntu.com/ubuntu jammy/main amd64 xauth amd64 1:1.1-1build2 [27.5 kB]
Get:29 http://archive.ubuntu.com/ubuntu jammy/main amd64 libbrotli1 amd64 1.0.9-2build6 [315 kB]
Get:30 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libsasl2-modules-db amd64 2.1.27+dfsg2-3ubuntu1.2 [20.5 kB]
Get:31 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libsasl2-2 amd64 2.1.27+dfsg2-3ubuntu1.2 [53.8 kB]
Get:32 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libldap-2.5-0 amd64 2.5.17+dfsg-0ubuntu0.22.04.1 [183 kB]
Get:33 http://archive.ubuntu.com/ubuntu jammy/main amd64 librtmp1 amd64 2.4+20151223.gitfa8646d.1-2build4 [58.2 kB]
Get:34 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libssh-4 amd64 0.9.6-2ubuntu0.22.04.3 [186 kB]
Get:35 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libcurl3-gnutls amd64 7.81.0-1ubuntu1.16 [284 kB]
Get:36 http://archive.ubuntu.com/ubuntu jammy/main amd64 liberror-perl all 0.17029-1 [26.5 kB]
Get:37 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 git-man all 1:2.34.1-1ubuntu1.10 [954 kB]
Get:38 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 git amd64 1:2.34.1-1ubuntu1.10 [3166 kB]
Get:39 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libldap-common all 2.5.17+dfsg-0ubuntu0.22.04.1 [15.8 kB]
Get:40 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libsasl2-modules amd64 2.1.27+dfsg2-3ubuntu1.2 [68.8 kB]
Get:41 http://archive.ubuntu.com/ubuntu jammy/main amd64 patch amd64 2.7.6-7build2 [109 kB]
Fetched 17.8 MB in 2s (9130 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package perl-modules-5.34.
(Reading database ... 4393 files and directories currently installed.)
Preparing to unpack .../00-perl-modules-5.34_5.34.0-3ubuntu1.3_all.deb ...
Unpacking perl-modules-5.34 (5.34.0-3ubuntu1.3) ...
Selecting previously unselected package libgdbm6:amd64.
Preparing to unpack .../01-libgdbm6_1.23-1_amd64.deb ...
Unpacking libgdbm6:amd64 (1.23-1) ...
Selecting previously unselected package libgdbm-compat4:amd64.
Preparing to unpack .../02-libgdbm-compat4_1.23-1_amd64.deb ...
Unpacking libgdbm-compat4:amd64 (1.23-1) ...
Selecting previously unselected package libperl5.34:amd64.
Preparing to unpack .../03-libperl5.34_5.34.0-3ubuntu1.3_amd64.deb ...
Unpacking libperl5.34:amd64 (5.34.0-3ubuntu1.3) ...
Selecting previously unselected package perl.
Preparing to unpack .../04-perl_5.34.0-3ubuntu1.3_amd64.deb ...
Unpacking perl (5.34.0-3ubuntu1.3) ...
Selecting previously unselected package openssl.
Preparing to unpack .../05-openssl_3.0.2-0ubuntu1.15_amd64.deb ...
Unpacking openssl (3.0.2-0ubuntu1.15) ...
Selecting previously unselected package ca-certificates.
Preparing to unpack .../06-ca-certificates_20230311ubuntu0.22.04.1_all.deb ...
Unpacking ca-certificates (20230311ubuntu0.22.04.1) ...
Selecting previously unselected package less.
Preparing to unpack .../07-less_590-1ubuntu0.22.04.2_amd64.deb ...
Unpacking less (590-1ubuntu0.22.04.2) ...
Selecting previously unselected package libmd0:amd64.
Preparing to unpack .../08-libmd0_1.0.4-1build1_amd64.deb ...
Unpacking libmd0:amd64 (1.0.4-1build1) ...
Selecting previously unselected package libbsd0:amd64.
Preparing to unpack .../09-libbsd0_0.11.5-1_amd64.deb ...
Unpacking libbsd0:amd64 (0.11.5-1) ...
Selecting previously unselected package libexpat1:amd64.
Preparing to unpack .../10-libexpat1_2.4.7-1ubuntu0.3_amd64.deb ...
Unpacking libexpat1:amd64 (2.4.7-1ubuntu0.3) ...
Selecting previously unselected package netbase.
Preparing to unpack .../11-netbase_6.3_all.deb ...
Unpacking netbase (6.3) ...
Selecting previously unselected package libcbor0.8:amd64.
Preparing to unpack .../12-libcbor0.8_0.8.0-2ubuntu1_amd64.deb ...
Unpacking libcbor0.8:amd64 (0.8.0-2ubuntu1) ...
Selecting previously unselected package libedit2:amd64.
Preparing to unpack .../13-libedit2_3.1-20210910-1build1_amd64.deb ...
Unpacking libedit2:amd64 (3.1-20210910-1build1) ...
Selecting previously unselected package libfido2-1:amd64.
Preparing to unpack .../14-libfido2-1_1.10.0-1_amd64.deb ...
Unpacking libfido2-1:amd64 (1.10.0-1) ...
Selecting previously unselected package libnghttp2-14:amd64.
Preparing to unpack .../15-libnghttp2-14_1.43.0-1ubuntu0.1_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.43.0-1ubuntu0.1) ...
Selecting previously unselected package libpsl5:amd64.
Preparing to unpack .../16-libpsl5_0.21.0-1.2build2_amd64.deb ...
Unpacking libpsl5:amd64 (0.21.0-1.2build2) ...
Selecting previously unselected package libxau6:amd64.
Preparing to unpack .../17-libxau6_1%3a1.0.9-1build5_amd64.deb ...
Unpacking libxau6:amd64 (1:1.0.9-1build5) ...
Selecting previously unselected package libxdmcp6:amd64.
Preparing to unpack .../18-libxdmcp6_1%3a1.1.3-0ubuntu5_amd64.deb ...
Unpacking libxdmcp6:amd64 (1:1.1.3-0ubuntu5) ...
Selecting previously unselected package libxcb1:amd64.
Preparing to unpack .../19-libxcb1_1.14-3ubuntu3_amd64.deb ...
Unpacking libxcb1:amd64 (1.14-3ubuntu3) ...
Selecting previously unselected package libx11-data.
Preparing to unpack .../20-libx11-data_2%3a1.7.5-1ubuntu0.3_all.deb ...
Unpacking libx11-data (2:1.7.5-1ubuntu0.3) ...
Selecting previously unselected package libx11-6:amd64.
Preparing to unpack .../21-libx11-6_2%3a1.7.5-1ubuntu0.3_amd64.deb ...
Unpacking libx11-6:amd64 (2:1.7.5-1ubuntu0.3) ...
Selecting previously unselected package libxext6:amd64.
Preparing to unpack .../22-libxext6_2%3a1.3.4-1build1_amd64.deb ...
Unpacking libxext6:amd64 (2:1.3.4-1build1) ...
Selecting previously unselected package libxmuu1:amd64.
Preparing to unpack .../23-libxmuu1_2%3a1.1.3-3_amd64.deb ...
Unpacking libxmuu1:amd64 (2:1.1.3-3) ...
Selecting previously unselected package openssh-client.
Preparing to unpack .../24-openssh-client_1%3a8.9p1-3ubuntu0.6_amd64.deb ...
Unpacking openssh-client (1:8.9p1-3ubuntu0.6) ...
Selecting previously unselected package publicsuffix.
Preparing to unpack .../25-publicsuffix_20211207.1025-1_all.deb ...
Unpacking publicsuffix (20211207.1025-1) ...
Selecting previously unselected package wget.
Preparing to unpack .../26-wget_1.21.2-2ubuntu1_amd64.deb ...
Unpacking wget (1.21.2-2ubuntu1) ...
Selecting previously unselected package xauth.
Preparing to unpack .../27-xauth_1%3a1.1-1build2_amd64.deb ...
Unpacking xauth (1:1.1-1build2) ...
Selecting previously unselected package libbrotli1:amd64.
Preparing to unpack .../28-libbrotli1_1.0.9-2build6_amd64.deb ...
Unpacking libbrotli1:amd64 (1.0.9-2build6) ...
Selecting previously unselected package libsasl2-modules-db:amd64.
Preparing to unpack .../29-libsasl2-modules-db_2.1.27+dfsg2-3ubuntu1.2_amd64.deb ...
Unpacking libsasl2-modules-db:amd64 (2.1.27+dfsg2-3ubuntu1.2) ...
Selecting previously unselected package libsasl2-2:amd64.
Preparing to unpack .../30-libsasl2-2_2.1.27+dfsg2-3ubuntu1.2_amd64.deb ...
Unpacking libsasl2-2:amd64 (2.1.27+dfsg2-3ubuntu1.2) ...
Selecting previously unselected package libldap-2.5-0:amd64.
Preparing to unpack .../31-libldap-2.5-0_2.5.17+dfsg-0ubuntu0.22.04.1_amd64.deb ...
Unpacking libldap-2.5-0:amd64 (2.5.17+dfsg-0ubuntu0.22.04.1) ...
Selecting previously unselected package librtmp1:amd64.
Preparing to unpack .../32-librtmp1_2.4+20151223.gitfa8646d.1-2build4_amd64.deb ...
Unpacking librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2build4) ...
Selecting previously unselected package libssh-4:amd64.
Preparing to unpack .../33-libssh-4_0.9.6-2ubuntu0.22.04.3_amd64.deb ...
Unpacking libssh-4:amd64 (0.9.6-2ubuntu0.22.04.3) ...
Selecting previously unselected package libcurl3-gnutls:amd64.
Preparing to unpack .../34-libcurl3-gnutls_7.81.0-1ubuntu1.16_amd64.deb ...
Unpacking libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.16) ...
Selecting previously unselected package liberror-perl.
Preparing to unpack .../35-liberror-perl_0.17029-1_all.deb ...
Unpacking liberror-perl (0.17029-1) ...
Selecting previously unselected package git-man.
Preparing to unpack .../36-git-man_1%3a2.34.1-1ubuntu1.10_all.deb ...
Unpacking git-man (1:2.34.1-1ubuntu1.10) ...
Selecting previously unselected package git.
Preparing to unpack .../37-git_1%3a2.34.1-1ubuntu1.10_amd64.deb ...
Unpacking git (1:2.34.1-1ubuntu1.10) ...
Selecting previously unselected package libldap-common.
Preparing to unpack .../38-libldap-common_2.5.17+dfsg-0ubuntu0.22.04.1_all.deb ...
Unpacking libldap-common (2.5.17+dfsg-0ubuntu0.22.04.1) ...
Selecting previously unselected package libsasl2-modules:amd64.
Preparing to unpack .../39-libsasl2-modules_2.1.27+dfsg2-3ubuntu1.2_amd64.deb ...
Unpacking libsasl2-modules:amd64 (2.1.27+dfsg2-3ubuntu1.2) ...
Selecting previously unselected package patch.
Preparing to unpack .../40-patch_2.7.6-7build2_amd64.deb ...
Unpacking patch (2.7.6-7build2) ...
Setting up libexpat1:amd64 (2.4.7-1ubuntu0.3) ...
Setting up libxau6:amd64 (1:1.0.9-1build5) ...
Setting up libpsl5:amd64 (0.21.0-1.2build2) ...
Setting up wget (1.21.2-2ubuntu1) ...
Setting up libcbor0.8:amd64 (0.8.0-2ubuntu1) ...
Setting up libbrotli1:amd64 (1.0.9-2build6) ...
Setting up libsasl2-modules:amd64 (2.1.27+dfsg2-3ubuntu1.2) ...
Setting up libnghttp2-14:amd64 (1.43.0-1ubuntu0.1) ...
Setting up less (590-1ubuntu0.22.04.2) ...
Setting up perl-modules-5.34 (5.34.0-3ubuntu1.3) ...
Setting up libldap-common (2.5.17+dfsg-0ubuntu0.22.04.1) ...
Setting up libsasl2-modules-db:amd64 (2.1.27+dfsg2-3ubuntu1.2) ...
Setting up libx11-data (2:1.7.5-1ubuntu0.3) ...
Setting up librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2build4) ...
Setting up patch (2.7.6-7build2) ...
Setting up libsasl2-2:amd64 (2.1.27+dfsg2-3ubuntu1.2) ...
Setting up libssh-4:amd64 (0.9.6-2ubuntu0.22.04.3) ...
Setting up libmd0:amd64 (1.0.4-1build1) ...
Setting up git-man (1:2.34.1-1ubuntu1.10) ...
Setting up netbase (6.3) ...
Setting up libfido2-1:amd64 (1.10.0-1) ...
Setting up openssl (3.0.2-0ubuntu1.15) ...
Setting up libbsd0:amd64 (0.11.5-1) ...
Setting up publicsuffix (20211207.1025-1) ...
Setting up libgdbm6:amd64 (1.23-1) ...
Setting up libxdmcp6:amd64 (1:1.1.3-0ubuntu5) ...
Setting up libxcb1:amd64 (1.14-3ubuntu3) ...
Setting up libedit2:amd64 (3.1-20210910-1build1) ...
Setting up libldap-2.5-0:amd64 (2.5.17+dfsg-0ubuntu0.22.04.1) ...
Setting up ca-certificates (20230311ubuntu0.22.04.1) ...
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 78.)
debconf: falling back to frontend: Readline
Updating certificates in /etc/ssl/certs...
137 added, 0 removed; done.
Setting up libgdbm-compat4:amd64 (1.23-1) ...
Setting up libx11-6:amd64 (2:1.7.5-1ubuntu0.3) ...
Setting up libxmuu1:amd64 (2:1.1.3-3) ...
Setting up libperl5.34:amd64 (5.34.0-3ubuntu1.3) ...
Setting up openssh-client (1:8.9p1-3ubuntu0.6) ...
update-alternatives: using /usr/bin/ssh to provide /usr/bin/rsh (rsh) in auto mode
update-alternatives: warning: skip creation of /usr/share/man/man1/rsh.1.gz because associated file /usr/share/man/man1/ssh.1.gz (of link group rsh) doesn't exist
update-alternatives: using /usr/bin/slogin to provide /usr/bin/rlogin (rlogin) in auto mode
update-alternatives: warning: skip creation of /usr/share/man/man1/rlogin.1.gz because associated file /usr/share/man/man1/slogin.1.gz (of link group rlogin) doesn't exist
update-alternatives: using /usr/bin/scp to provide /usr/bin/rcp (rcp) in auto mode
update-alternatives: warning: skip creation of /usr/share/man/man1/rcp.1.gz because associated file /usr/share/man/man1/scp.1.gz (of link group rcp) doesn't exist
Setting up libxext6:amd64 (2:1.3.4-1build1) ...
Setting up libcurl3-gnutls:amd64 (7.81.0-1ubuntu1.16) ...
Setting up perl (5.34.0-3ubuntu1.3) ...
Setting up xauth (1:1.1-1build2) ...
Setting up liberror-perl (0.17029-1) ...
Setting up git (1:2.34.1-1ubuntu1.10) ...
Processing triggers for libc-bin (2.35-0ubuntu3.6) ...
Processing triggers for ca-certificates (20230311ubuntu0.22.04.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@ba1992bdfa30:/# git clone https://github.com/PrivateBin/PrivateBin.git
Cloning into 'PrivateBin'...
remote: Enumerating objects: 18490, done.
remote: Counting objects: 100% (5566/5566), done.
remote: Compressing objects: 100% (666/666), done.
remote: Total 18490 (delta 5342), reused 4957 (delta 4900), pack-reused 12924
Receiving objects: 100% (18490/18490), 13.06 MiB | 3.94 MiB/s, done.
Resolving deltas: 100% (13579/13579), done.
root@ba1992bdfa30:/# cd PrivateBin/
root@ba1992bdfa30:/PrivateBin# git archive --prefix=PrivateBin-1.7.1/ -o ../git-1.7.1.tar.gz 1.7.1
root@ba1992bdfa30:/PrivateBin# cd ..
root@ba1992bdfa30:/# wget -q -O github-1.7.1.tar.gz https://github.com/PrivateBin/PrivateBin/archive/refs/tags/1.7.1.tar.gz
root@ba1992bdfa30:/# sha256sum *.tar.gz
136faa5ba0c2d51ace916a2c0b282f5c7d5376265406040c91730e28233367ff  git-1.7.1.tar.gz
136faa5ba0c2d51ace916a2c0b282f5c7d5376265406040c91730e28233367ff  github-1.7.1.tar.gz
root@ba1992bdfa30:/# diff -s git-1.7.1.tar.gz github-1.7.1.tar.gz
Files git-1.7.1.tar.gz and github-1.7.1.tar.gz are identical
root@ba1992bdfa30:/# echo $?
0

@elrido
Copy link
Contributor

elrido commented Apr 4, 2024

Reading the github blog closer, that you linked: They did change the git archive generation, but...

On January 30, we deployed Git 2.38 to the service that powers source downloads. This version of Git changed the default compression command used for git archive generation from external gzip to an internal copy of gzip. [...]

As it turned out, many communities had built assumptions about source downloads and their hashes. [...]

Was this a surprise?

Yes and no. We were aware of the change of default in the git archive command. What we didn’t expect was the broad impact this might have on a number of communities.

[...]

Future stability of archives and hashes

  1. GitHub will hold the source downloads byte-for-byte stable for no less than a year from today (February 21, 2023). [...]
  2. In the future, if we intend to change either archive format, we’ll provide six months’ notice in documentation, and on the blog and changelog. [...]

So I simply didn't notice because my ubuntu git was always below 2.38 and I didn't happen to do a release during the above time frame that github returned different archives. Our container image builds during that time might have failed, though.

On to workarounds for newer git versions. We can configure it to still use an external compression command as follows (again tested in alpine, with git 2.43):

/ # git clone https://github.com/PrivateBin/PrivateBin.git
Cloning into 'PrivateBin'...
remote: Enumerating objects: 18490, done.
remote: Counting objects: 100% (5566/5566), done.
remote: Compressing objects: 100% (666/666), done.
remote: Total 18490 (delta 5342), reused 4957 (delta 4900), pack-reused 12924
Receiving objects: 100% (18490/18490), 13.06 MiB | 21.61 MiB/s, done.
Resolving deltas: 100% (13579/13579), done.
/ # cd PrivateBin/
/PrivateBin # git archive --format=tar --prefix=PrivateBin-1.7.1/ 1.7.1 | gzip > ../piped-1.7.1.tar.gz
# or alternatively:
/PrivateBin # git config tar.tar.gz.command "gzip -cn"
/PrivateBin # git archive --prefix=PrivateBin-1.7.1/ -o ../external-1.7.1.tar.gz 1.7.1
/PrivateBin # cd ..
/ # sha256sum *.tar.gz
136faa5ba0c2d51ace916a2c0b282f5c7d5376265406040c91730e28233367ff  external-1.7.1.tar.gz
136faa5ba0c2d51ace916a2c0b282f5c7d5376265406040c91730e28233367ff  piped-1.7.1.tar.gz

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elrido @rugk