package.json records two hashes of package.tgz, which change for each
build, resulting in non-reproducible builds.
* guix/build/node-build-system.scm (repack): Add reproducibility options
to tar command.
#t)
(define* (repack #:key inputs #:allow-other-keys)
- (invoke "tar" "-czf" "../package.tgz" ".")
+ (invoke "tar"
+ ;; Add options suggested by https://reproducible-builds.org/docs/archives/
+ "--sort=name"
+ (string-append "--mtime=@" (getenv "SOURCE_DATE_EPOCH"))
+ "--owner=0"
+ "--group=0"
+ "--numeric-owner"
+ "-czf" "../package.tgz" ".")
#t)
(define* (install #:key outputs inputs #:allow-other-keys)