Uploading tarballs to the registry is currently non-reproducible because file modification times (among other things) are included in the tar / gzip process. There is no way to make deterministic tarballs via the node-tar library (the solution in the issue for it does not work; we tried it and had to revert the commit).
We'd like to be able to regenerate the registry with all the metadata hashes remaining the same, at least for the duration of the alpha. Otherwise, changing something about the manifest format or files we include in the tarballs will cause all hashes to change.
Uploading tarballs to the registry is currently non-reproducible because file modification times (among other things) are included in the tar / gzip process. There is no way to make deterministic tarballs via the
node-tarlibrary (the solution in the issue for it does not work; we tried it and had to revert the commit).We'd like to be able to regenerate the registry with all the metadata hashes remaining the same, at least for the duration of the alpha. Otherwise, changing something about the manifest format or files we include in the tarballs will cause all hashes to change.
Some notes on reproducible builds:
I would recommend that we rely on
tarandgzipvia the Nix shell so that we can use the recommended approaches from Debian et al.