build: Make outputs of node-build-system reproducible.

package.json records two hashes of package.tgz, which change for each
build, resulting in non-reproducible builds.

* guix/build/node-build-system.scm (repack): Add reproducibility options
to tar command.

diff --git a/guix/build/node-build-system.scm b/guix/build/node-build-system.scm
index a55cab2..70a3676 100644 (file)
--- a/guix/build/node-build-system.scm
+++ b/guix/build/node-build-system.scm
@@ -120,7 +120,14 @@
   #t)
 
 (define* (repack #:key inputs #:allow-other-keys)
-  (invoke "tar" "-czf" "../package.tgz" ".")
+  (invoke "tar"
+          ;; Add options suggested by https://reproducible-builds.org/docs/archives/
+          "--sort=name"
+          (string-append "--mtime=@" (getenv "SOURCE_DATE_EPOCH"))
+          "--owner=0"
+          "--group=0"
+          "--numeric-owner"
+          "-czf" "../package.tgz" ".")
   #t)
 
 (define* (install #:key outputs inputs #:allow-other-keys)