[R-pkg-devel] Ensuring permanence and SHA consistency of released CRAN packages for validated software
Dirk Eddelbuettel
edd @end|ng |rom deb|@n@org
Thu Mar 17 02:58:07 CET 2022
On 16 March 2022 at 14:01, Henrik Bengtsson wrote:
| Related to this, there's also been discussion (here or on R-devel), of
| having `R CMD build` produce identical tarballs when the input doesn't
| change, but the injection of `Packaged: <timestamp>; <user>` to the
| `DESCRIPTION` file prevents this. If I recall correctly, there was at
| least some discussion on being able to control, or anonymize, the
| <user> part.
It's much bigger than R: https://reproducible-builds.org/
Started within Debian, but grew fairly quickly beyond one distribution to
many. We patched the build to use the (fixed) time from debian/changelog
(rather than current build time) and a few more things and were at some point
compliant, but there is still more and the package I stand behind as far as
Debian is concerned currently fails this goal of reproducible (i.e. binary
identical builds) [1] (and I have limited time to chase this, but the
initiative is very very good).
If someone wants to help please get in touch off-list. It should just require
some patience and diligence and I may teach your Debian builds in the
process. The r-cran-* packages generally pass which is good.
Dirk
[1] https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/r-base.html
--
https://dirk.eddelbuettel.com | @eddelbuettel | edd using debian.org
More information about the R-package-devel
mailing list