Skip to content

Reproducible builds: ensure unix permissions are reproducible #2819

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 16, 2025
Merged

Reproducible builds: ensure unix permissions are reproducible #2819

merged 1 commit into from
Oct 16, 2025

Conversation

@snazy
Copy link
Member

@snazy snazy commented Oct 15, 2025

Zip and tar files contain the unix file/directory permissions for the included zip/tar entries. The "default" values for those can differ depending on the platform those are built on. This change ensures 755 for directories and owner/group/other=read+write for files. The "executable" bit isn't forcefully set in case the archived file is an executable.

@snazy
Reproducible builds: ensure unix permissions are reproducible
bbfd396 
Zip and tar files contain the unix file/directory permissions for the included zip/tar entries. The "default" values for those can differ depending on the platform those are built on. This change ensures `755` for directories and owner/group/other=read+write for files. The "executable" bit isn't forcefully set in case the archived file _is_ an executable.
@github-project-automation github-project-automation bot moved this to PRs In Progress in Basic Kanban Board Oct 15, 2025
@snazy
Copy link
Member Author

snazy commented Oct 15, 2025
edited
Loading

Noticed that the binary jar files of 1.2.0-incubating-rc1 in the staging repo are different (md5sum for example) from those built locally from the same Git commit.

The reason was the "group write" POSIX permission bit as reported by zipinfo for example for the polaris-version jar artifact:

Zip file size: 21060 bytes, number of entries: 26
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/
-rw-r--r--  2.0 unx      495 b- defN 80-Feb-01 00:00 META-INF/MANIFEST.MF
drwxrwxr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 org/
drwxrwxr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 org/apache/
drwxrwxr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 org/apache/polaris/
drwxrwxr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 org/apache/polaris/version/
-rw-rw-r--  2.0 unx     5085 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersion$PolarisVersionJarInfo.class
-rw-rw-r--  2.0 unx     1735 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersion$PolarisVersionNumber.class
-rw-rw-r--  2.0 unx      993 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersion$PolarisVersionResource.class
-rw-rw-r--  2.0 unx     4256 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersion.class
-rw-rw-r--  2.0 unx      693 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersionProvider.class
-rw-rw-r--  2.0 unx    11358 b- defN 80-Feb-01 00:00 META-INF/LICENSE
-rw-rw-r--  2.0 unx      305 b- defN 80-Feb-01 00:00 META-INF/NOTICE
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/maven/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/maven/org.apache.polaris/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/maven/org.apache.polaris/polaris-version/
-rw-rw-r--  2.0 unx      119 b- defN 80-Feb-01 00:00 META-INF/maven/org.apache.polaris/polaris-version/pom.properties
-rw-rw-r--  2.0 unx     2462 b- defN 80-Feb-01 00:00 META-INF/maven/org.apache.polaris/polaris-version/pom.xml
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/resources/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/resources/apache-polaris/
-rw-rw-r--  2.0 unx    18848 b- defN 80-Feb-01 00:00 META-INF/resources/apache-polaris/LICENSE.txt
-rw-rw-r--  2.0 unx      544 b- defN 80-Feb-01 00:00 META-INF/resources/apache-polaris/NOTICE.txt
-rw-rw-r--  2.0 unx       17 b- defN 80-Feb-01 00:00 META-INF/resources/apache-polaris/version.txt
-rw-rw-r--  2.0 unx      823 b- defN 80-Feb-01 00:00 org/apache/polaris/version/polaris-version.properties
drwxrwxr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 gradle/
drwxrwxr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 gradle/jar-licenses/
26 files, 47733 bytes uncompressed, 17228 bytes compressed:  63.9%

vs

Zip file size: 21060 bytes, number of entries: 26
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/
-rw-r--r--  2.0 unx      495 b- defN 80-Feb-01 00:00 META-INF/MANIFEST.MF
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 org/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 org/apache/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 org/apache/polaris/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 org/apache/polaris/version/
-rw-r--r--  2.0 unx     5085 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersion$PolarisVersionJarInfo.class
-rw-r--r--  2.0 unx     1735 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersion$PolarisVersionNumber.class
-rw-r--r--  2.0 unx      993 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersion$PolarisVersionResource.class
-rw-r--r--  2.0 unx     4256 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersion.class
-rw-r--r--  2.0 unx      693 b- defN 80-Feb-01 00:00 org/apache/polaris/version/PolarisVersionProvider.class
-rw-r--r--  2.0 unx    11358 b- defN 80-Feb-01 00:00 META-INF/LICENSE
-rw-r--r--  2.0 unx      305 b- defN 80-Feb-01 00:00 META-INF/NOTICE
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/maven/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/maven/org.apache.polaris/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/maven/org.apache.polaris/polaris-version/
-rw-r--r--  2.0 unx      119 b- defN 80-Feb-01 00:00 META-INF/maven/org.apache.polaris/polaris-version/pom.properties
-rw-r--r--  2.0 unx     2462 b- defN 80-Feb-01 00:00 META-INF/maven/org.apache.polaris/polaris-version/pom.xml
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/resources/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 META-INF/resources/apache-polaris/
-rw-r--r--  2.0 unx    18848 b- defN 80-Feb-01 00:00 META-INF/resources/apache-polaris/LICENSE.txt
-rw-r--r--  2.0 unx      544 b- defN 80-Feb-01 00:00 META-INF/resources/apache-polaris/NOTICE.txt
-rw-r--r--  2.0 unx       17 b- defN 80-Feb-01 00:00 META-INF/resources/apache-polaris/version.txt
-rw-r--r--  2.0 unx      823 b- defN 80-Feb-01 00:00 org/apache/polaris/version/polaris-version.properties
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 gradle/
drwxr-xr-x  2.0 unx        0 b- defN 80-Feb-01 00:00 gradle/jar-licenses/
26 files, 47733 bytes uncompressed, 17228 bytes compressed:  63.9%

The actual content (via zipcmp) however is exactly the same.

@snazy snazy mentioned this pull request Oct 15, 2025
Open
13 tasks
@github-project-automation github-project-automation bot moved this from PRs In Progress to Ready to merge in Basic Kanban Board Oct 15, 2025
@snazy snazy merged commit 75e2698 into apache:main Oct 16, 2025
15 checks passed
@github-project-automation github-project-automation bot moved this from Ready to merge to Done in Basic Kanban Board Oct 16, 2025
@snazy snazy deleted the repro-arch-unix-perm branch October 16, 2025 15:43
snazy added a commit to snazy/polaris that referenced this pull request Nov 20, 2025
@snazy @renovate-bot @CodingBangboo
Dremio merge 2025 10 16 18 10 (apache#146)
1e2d98f 
* Update actions/stale digest to 65d1d48 (apache#2813)

* Update dependency org.testcontainers:testcontainers-bom to v2 (apache#2814)

* Site: Update community page / team (apache#2817)

Update entries for Alex + Mike (committer --> PPMC member).

* Site: fix typo of catalog federation configuration in command-line-interface.md (apache#2825)

* Update docker.io/prom/prometheus Docker tag to v3.7.0 (apache#2820)

* Update quay.io/keycloak/keycloak Docker tag to v26.4.1 (apache#2827)

* Reproducible builds: ensure unix permissions are reproducible (apache#2819)

Zip and tar files contain the unix file/directory permissions for the included zip/tar entries. The "default" values for those can differ depending on the platform those are built on. This change ensures `755` for directories and owner/group/other=read+write for files. The "executable" bit isn't forcefully set in case the archived file _is_ an executable.

* Reproducible builds: use a fixed mtime for all entries in the source tarball (apache#2823)

This change makes generated source-tarballs binary-comparable, so that locally built one (via `./gradlew sourceTarball`) should be exactly the same as a staged one.

* NoSQL: adoptions

* Last merged commit 0fdaa5a

---------

Co-authored-by: Mend Renovate <bot@renovateapp.com>
Co-authored-by: Nuoya Jiang <98131931+NuoyaJiang@users.noreply.github.com>
snazy added a commit to snazy/polaris that referenced this pull request Nov 24, 2025
@snazy
Fix executable POSIX permission in archive files
c57bbb8 
The PR apache#2819 accidentally _removed_ the executable POSIX file permission, assuming that not explicity setting the attributes via `filePermissions` retains the file-system 'x' permission.

This change updates the logic to explicitly check the owner-executable bit and uses `755` or `644` respectively for each individual file in the archive.
@snazy snazy mentioned this pull request Nov 24, 2025
Merged
snazy added a commit to snazy/polaris that referenced this pull request Nov 24, 2025
@snazy
Fix executable POSIX permission in archive files
eb81df0 
The PR apache#2819 accidentally _removed_ the executable POSIX file permission, assuming that not explicity setting the attributes via `filePermissions` retains the file-system 'x' permission.

This change updates the logic to explicitly check the owner-executable bit and uses `755` or `644` respectively for each individual file in the archive.
snazy added a commit that referenced this pull request Nov 24, 2025
@snazy
Fix executable POSIX permission in archive files (#3146)
65218ca 
The PR #2819 accidentally _removed_ the executable POSIX file permission, assuming that not explicity setting the attributes via `filePermissions` retains the file-system 'x' permission.

This change updates the logic to explicitly check the owner-executable bit and uses `755` or `644` respectively for each individual file in the archive.
pingtimeout pushed a commit to pingtimeout/polaris that referenced this pull request Nov 24, 2025
@snazy @pingtimeout
Fix executable POSIX permission in archive files (apache#3146)
3d143cd 
The PR apache#2819 accidentally _removed_ the executable POSIX file permission, assuming that not explicity setting the attributes via `filePermissions` retains the file-system 'x' permission.

This change updates the logic to explicitly check the owner-executable bit and uses `755` or `644` respectively for each individual file in the archive.
@pingtimeout pingtimeout mentioned this pull request Nov 24, 2025
Merged
pingtimeout added a commit that referenced this pull request Nov 24, 2025
@pingtimeout @snazy
Fix executable POSIX permission in archive files (#3146) (#3151)
fcc4582 
The PR #2819 accidentally _removed_ the executable POSIX file permission, assuming that not explicity setting the attributes via `filePermissions` retains the file-system 'x' permission.

This change updates the logic to explicitly check the owner-executable bit and uses `755` or `644` respectively for each individual file in the archive.

Co-authored-by: Robert Stupp <snazy@snazy.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@singhpk234 singhpk234 singhpk234 approved these changes

@dimas-b dimas-b dimas-b approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@snazy @singhpk234 @dimas-b